CN114912104A - Safety protection method and device based on container host machine and electronic equipment - Google Patents

Safety protection method and device based on container host machine and electronic equipment Download PDF

Info

Publication number
CN114912104A
CN114912104A CN202110178890.5A CN202110178890A CN114912104A CN 114912104 A CN114912104 A CN 114912104A CN 202110178890 A CN202110178890 A CN 202110178890A CN 114912104 A CN114912104 A CN 114912104A
Authority
CN
China
Prior art keywords
container
host
target account
host machine
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110178890.5A
Other languages
Chinese (zh)
Inventor
陈钦波
刘涛
袁丽娜
王超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110178890.5A priority Critical patent/CN114912104A/en
Publication of CN114912104A publication Critical patent/CN114912104A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Abstract

The disclosure provides a safety protection method and device based on a container host machine and electronic equipment, and relates to the technical field of safety. The method comprises the following steps: determining that a target account has at least one of the right to use a target container and the right to log in a host, wherein the container is stored in the host, responding to the target account logging in the host, and monitoring an execution command of the target account in the host; determining whether the target account is used for switching into a container in the host machine or not according to the monitoring result; and responding that the target account is not used for switching into a container in the host machine, and logging out of the target account in the host machine. According to the technical scheme, a first guarantee is provided for the safety of the host machine in a permission confirmation mode, and another guarantee is provided for the safety of the host machine by managing the login state of the account number of the login host machine. Therefore, the host machine can be prevented from being invaded or attacked by the malicious login account number to a certain extent, and the safety of the host machine is effectively improved.

Description

Safety protection method and device based on container host machine and electronic equipment
Technical Field
The present disclosure relates to the field of security technologies, and in particular, to a security protection method based on a container host, a security protection apparatus based on a container host, and an electronic device implementing the method.
Background
The Container technology can effectively divide the resources of a single operating system into isolated groups so as to better balance conflicting resource use requirements among the isolated groups, thereby greatly improving the working efficiency. And the scheme of conveniently logging in the container is also a goal that developers continuously pursue.
One container registration scheme provided in the related art is to register a host based on a Secure Shell (SSH), and then use a related container command to cut into a container on the host. In the container login scheme, if a user can log in a host through SSH (secure Shell), but does not use a cut-in container, the user can possibly obtain a larger right of the host through a host vulnerability, and further damage the host.
Therefore, for the container login scheme provided by the related art, the security of the related host needs to be improved urgently.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure is directed to a container host-based security protection method, a container host-based security protection apparatus, an electronic device, and a computer-readable storage medium, so as to improve the security of a container host to a certain extent.
According to one aspect of the present disclosure, there is provided a container host-based security protection method, including: determining that a target account has at least one of permission to use a target container and permission to log on to a host machine, wherein the container is stored at the host machine; responding to the target account to log in the host machine, and monitoring an execution command of the target account in the host machine; determining whether the target account is used for switching into a container in the host machine or not according to a monitoring result; and responding that the target account is not used for switching into the container in the host machine, and quitting the login of the target account in the host machine.
According to an aspect of the present disclosure, there is provided a container host-based security protection apparatus, the apparatus comprising: the device comprises an authority determining module, a monitoring module, a switching-in determining module and a quitting module.
Wherein the permission determination module is configured to: determining that a target account has at least one of permission to use a target container and permission to log on to a host machine, wherein the container is stored at the host machine; the monitoring module is configured to: responding to the target account number to log in the host machine, and monitoring an execution command of the target account number on the host machine; the hand-in determination module configured to: determining whether the target account is used for switching into a container in the host machine or not according to a monitoring result; and the exit module is configured to: and responding that the target account is not used for switching into the container in the host machine, and quitting the login of the target account in the host machine.
In an exemplary embodiment, based on the foregoing scheme, the hand-in determination module is specifically configured to: and if the monitoring result is that the execution command from the target account is not received within a first preset time after the target account logs in the host, determining that the target account is not used for switching into a container in the host.
In an exemplary embodiment, based on the foregoing solution, the apparatus further includes: and (5) a checking module.
Wherein the verification module is configured to: if the monitoring result is that an execution command from the target account is received within the first preset time after the target account logs in the host, and the legality of the execution command is checked; if the execution command is legal, determining that the target account is used for switching into a container in the host machine; or, if the execution command is illegal, determining that the target account is not used for switching into the container in the host machine.
In an exemplary embodiment, based on the foregoing scheme, the monitoring module is specifically configured to: and logging in the host machine through a shell program in response to the received target account, and monitoring an execution command of the target account on the host machine by acquiring parameters of the shell program.
In an exemplary embodiment, based on the foregoing scheme, the hand-in determination module is specifically configured to: acquiring parameters of the shell program within a second preset time after the target account logs in the host; and in response to the parameter of the shell program acquired within the second preset time period being null, determining that the execution command is not used for switching into the container in the host.
In an exemplary embodiment, based on the foregoing scheme, the check module is further configured to: in response to that the parameters of the shell program acquired within the second preset time period are not empty, checking the validity of the parameters of the shell program acquired within the second preset time period; if the parameters of the shell program are legal, determining that the target account is used for switching into a container in the host machine; or if the parameters of the shell program are illegal, determining that the target account is not used for switching into the container in the host machine.
In an exemplary embodiment, based on the foregoing solution, the apparatus further includes: and a login module.
Wherein the login module is configured to: acquiring the identifier of a target container to be logged in by the target account; determining address information of a host machine corresponding to the target container according to the identification of the target container; and logging the target account in the host according to the address information of the host.
In an exemplary embodiment, based on the foregoing solution, the apparatus further includes: and a recording module.
Wherein the recording module is configured to: and after logging out the target account number from the host machine, recording the logged-out target account number so as to record the account number illegally logged in the host machine.
According to an aspect of the present disclosure, there is provided a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the container host-based security protection method according to any of the embodiments of the first aspect.
According to an aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the container host-based security protection method of any embodiment of the first aspect via execution of the executable instructions.
According to an aspect of the present disclosure, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the computer device executes the container host-based security protection method provided in the above embodiments.
Exemplary embodiments of the present disclosure may have some or all of the following benefits:
in the resource allocation scheme provided by an example embodiment of the present disclosure, before a target account logs in a host, it is determined whether the target account has an authority to use a target container and/or an authority to log in the host storing the target container, and if neither of the authorities exists, the target account is not allowed to log in the host. Thereby providing a first guarantee for the safety of the host machine. Further, after the target account is determined to have at least one of the two permissions, the target account is allowed to log in the host, and after the target account logs in the host, a further execution command of the target account is monitored to judge whether the target account is used for switching in the container in the host. Further, if the target account is not used for cutting into the container in the host, which indicates that the account may pose a threat to the security of the host, the target account is forcibly logged out of the host. If the target account number is used for switching into a container in the host machine, the account is enabled to be continuously logged in when the account does not threaten the security of the host machine. According to the technical scheme, the safety of the host machine is simultaneously guaranteed through two modes of permission confirmation, close monitoring of the account number of the logged host machine and management of the login state of the account number, the host machine can be effectively prevented from being invaded or attacked and damaged by the maliciously logged account number, and the safety of the host machine is effectively improved. Meanwhile, the account number of the container normally logged in the host machine is not interfered, so that the normal use of the container is ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 shows a schematic diagram of a system architecture of an exemplary application environment to which a container host based security protection scheme of an embodiment of the present disclosure may be applied.
Fig. 2 schematically illustrates a flow diagram of a container host-based security protection method according to an embodiment of the present disclosure.
Fig. 3 schematically shows a flow diagram of a container host based security protection method according to another embodiment of the present disclosure.
Fig. 4 is a flowchart illustrating a method for logging in a host based on an account in an exemplary embodiment of the disclosure.
Fig. 5 schematically shows a flow diagram of a container host based security protection method according to yet another embodiment of the present disclosure.
Fig. 6 shows a flow diagram of a method for container host based security protection in yet another exemplary embodiment of the present disclosure.
Fig. 7 is a flowchart illustrating a rights application method in an exemplary embodiment of the disclosure.
Fig. 8 shows a schematic structural diagram of a container host-based security protection device to which another embodiment of the present disclosure may be applied.
FIG. 9 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
Cloud technology refers to a hosting technology for unifying series of resources such as hardware, software, and network in a wide area network or a local area network to realize calculation, storage, processing, and sharing of data.
Cloud technology (Cloud technology) is based on a general term of network technology, information technology, integration technology, management background technology, application technology and the like applied in a Cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of technical network systems require a large amount of computing and storage resources, such as video websites, picture-like websites and more portal websites. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms for Cloud-based business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud computing of the security infrastructure mainly researches how to newly build and integrate security infrastructure resources by adopting cloud computing and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform by using a cloud computing technology, realizing acquisition and correlation analysis of mass information and improving the handling control capability and risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
Fig. 1 is a schematic diagram illustrating a system architecture of an exemplary application environment to which a container host-based security protection scheme of an embodiment of the present disclosure may be applied.
As shown in fig. 1, the system architecture 100 may include a terminal 110, a network 120, a container's host 130, and a management back-office 140. The terminal 110, the host 130, and the management background 140 are connected to each other through the network 120.
The terminal 110 may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like. Network 120 may be any type of communications medium capable of providing a communications link between terminal 110 and server 130, such as a wired communications link, a wireless communications link, or a fiber optic cable, and the like, without limitation. The host 130 and the management background 140 may be independent physical servers, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be cloud servers providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, and big data and artificial intelligence platforms.
In order to avoid the complicated steps required in the process of switching into the container in the host machine after the user logs in the host machine, the two steps of the host machine login and the container switching can be packaged, so that the container loggers only need to pay attention to the container id or the container name to login.
Illustratively, if the packaged container login tool is go _ docker, the implementation of the user logging in to the host using go _ docker and using the container is shown in table 1:
TABLE 1
Figure BDA0002940892170000071
Wherein, "-i" represents a container id, and "-n" represents a container name. In this embodiment, the container id is "30 f2f4e3c2bfa6600b2a026f8e842463e5b81a2de651b071ea7c782d316fc92 d", and the container name is "01 vector-tuji".
Referring to fig. 2, a container is registered through go _ docker in step S21, and specifically, a user fills in account information and a name of the container or a container id to be registered through the terminal 220. The user does not need to care which host ip the container is on, but obtains the host ip of the container name or the container id at the Docker management background 210 (step S22 is executed to view the host ip of the container to be logged in). Further, according to the host ip, the step S23 is executed: the SSH logs in the host 230, specifically, the user logs in the relevant host through the account information, and further performs step S24 to cut in the container 240 in the host.
In an exemplary embodiment, the above container login tool logs in the host by initiating SSH, and the corresponding implementation is as follows: and $ ssh 1.2.3.4-t 'sudo docker exec-it/bin/bash 30f2f4e3c2 bfa'.
Wherein, the above-mentioned "1.2.3.4" finds the host IP according to the container id or the container name; after logging in the host, a docker related command "sudo docker exec" is executed to cut into a container with id "30 f2f4e3c2 bfa".
The security protection method based on the container host provided in the embodiment of the present disclosure may be executed by the host 130, and the present disclosure does not particularly limit this. For example, the host 130 monitors the execution command of the target account number in response to the target account number logging in the host. And determining whether the target account is to be switched into the container in the host machine or not through the monitoring result. Further, in response to the target account not being used for switching into the container in the host, the target account is forced to log out of the host.
Further, in response to the target account being cut into the container in the host, the login state of the target account in the host is maintained, thereby ensuring normal use of the container.
Next, embodiments of the container host based security protection method will be described. Fig. 3 is a flow chart of a container host-based security protection method in another exemplary embodiment of the present disclosure. Referring to fig. 3, the method includes:
step S310, determining that the target account has at least one of the right to use a target container and the right to log in a host, wherein the container is stored in the host;
step S320, responding to the target account number to log in the host machine, and monitoring an execution command of the target account number on the host machine;
step S330, judging whether the target account is used for switching into a container in the host machine or not according to a monitoring result;
step S340, responding that the target account is not used for switching into a container in the host machine, and quitting the login of the target account in the host machine; and the number of the first and second groups,
and step S350, responding to the condition that the target account is used for switching into a container in the host machine, and keeping the login state of the target account in the host machine.
In the resource configuration scheme provided in the embodiment shown in fig. 3, the technical scheme provides a first guarantee for the security of the host by means of permission confirmation, and provides another guarantee for the security of the host by closely monitoring the account number of the login host and managing the login state of the account number. Therefore, the host machine can be effectively prevented from being invaded or attacked and damaged by the malicious logged account, and the safety of the host machine is effectively improved. Meanwhile, the account number of the container normally logged in the host machine is not interfered, so that the normal use of the container is ensured.
The following describes in detail the specific implementation of the steps in the example shown in fig. 3:
it should be noted that, if the target account has any container right of the related host, the target account has the right to log in the host. Since the target container is in the host, if the target account has the right to use the target container, the target account also has the right to log in the host. In the case that the target account has a login-related host, the target account can log in the host in SSH and can execute a docker command (e.g., a sudo docker exec) to cut into a container in the host.
In an exemplary embodiment, the authority of the target account may be determined by a priori information in step S310. Specifically, whether the target account has the authority to use the target container is determined according to an authority relation table between the account and the container capable of logging in. And determining whether the target account has the authority for logging in the host machine according to the authority relation table between the account number and the host machine capable of logging in.
In an exemplary embodiment, another specific implementation manner of determining whether the target account has the right to use the target container is as follows:
referring to fig. 1 and fig. 2, the management back-end 140 (e.g., Docker management back-end 210) stores an association table of the account and the container having the authority. Developer a has the authority of container X and developer b has the authority of container Y. And when the Docker management background inquires the ip address of the host corresponding to the container to be logged in, judging whether the target account number has the authority of the target container to be logged in through the Docker management background. For example, the developer a inputs account information and a container name/container id to be logged in at the terminal, the Docker manages the background to query the association table to determine whether the account information input at the terminal by the developer a is associated with the container to be logged in, if so, it indicates that the account information has related rights, and the developer a can log in the target container through the account information.
In an exemplary embodiment, a specific implementation manner of determining whether the target account has the authority to log in the host is as follows:
whether the target account number has the authority of logging in the host computer is determined by managing the user authority of a Lightweight Directory Access Protocol (ldap) of the host computer. Specifically, if the target account does not have any authority to log in the host, the Docker management background issues the following information to the host through openldap: if the account has no authority information for logging in the host, the target account cannot be SSH logged in the host. If the target account has the right of logging in the host, the Docker management background issues the following information to the host through openldap: and if the account number has the authority information for logging in the host, the target account number can be SSH to log in the host.
In an exemplary embodiment, the local account authority of the host may also be managed by using an independent operation and maintenance system, so that whether the target account has the authority to log in the host is determined by the operation and maintenance system. And when the target account does not have the right of logging in the host, responding to the application of the login right, and directly issuing a shell command through the operation and maintenance system to add the account to the host, thereby realizing the login of the related account in the host.
It should be noted that, the specific implementation manners of determining whether the target account has the usage right of the target container or determining whether the target account has the login right of the host are not limited to the above, and may also be other manners in the technical field.
In an exemplary embodiment, in the case that the target account does not have the right to use the target container and does not have the right to log in the host, the target account is rejected from logging in the host. Thereby providing a first guarantee for the safety of the host machine.
In an exemplary embodiment, in the case that the target account has the login right of the host, the target account can successfully log in the host. Fig. 4 is a flowchart illustrating a method for logging in a host to an account in an exemplary embodiment of the present disclosure. Referring to fig. 4, the method includes steps S410 to S430.
In step S410, acquiring an identifier of a target container to be logged in by the target account; and in step S420, determining address information of the host corresponding to the target container according to the identifier of the target container.
As in the foregoing embodiment, referring to fig. 2, a user may fill in account information and a container name or a container id to be logged in through a terminal 220, and then obtain a host ip of the container name or the container id through a Docker management background 210.
Continuing with fig. 4, when the target account has at least one of the permissions to log in the host using the permission of the target container, step S430 is executed to log in the target account to the host according to the address information of the host.
It can be seen from the above embodiments that if a hacker applies for a container right on the host, he has the right to log in the host. Referring specifically to FIG. 2, if the SSH logs on to the host 230 and cuts into the container 240 for performing step S24 (e.g., the associated container is not logged on via the go _ docker container login tool), the step S24' is performed after the SSH logs on to the host: and (4) the right is lifted or the host is invaded. In this case, the hacker may try to give rights to the host, and may try to obtain a greater right by using a host vulnerability, and then apply other intrusions and damages, threatening the security of the host.
To solve the above technical problem, the present technical solution performs step S320: responding to the target account to log in the host machine, and monitoring an execution command of the target account on the host machine; and step S330, judging whether the target account is used for switching into the container in the host machine or not according to the monitoring result.
Illustratively, after distinguishing that the target account has the container usage right of the host, the container management background issues the information having the right to the host through a scheme such as openldap. Furthermore, on the host computer, the container account number login person can be seen and marked, and the configuration of the SHell program (Bourn Again Shell: bash for short) of the user is modified. The Shell program Shell is used for interaction between a user and an operating system, is specifically used for distinguishing from a core, and is equivalent to a command parser. Specifically, SHell procedures are classified into various types (in addition to bash, Bourne SHell (sh), korn SHell (ksh), and C SHell (Csh)). The technical scheme aims at the 'Linux container', and the shell program corresponding to the Linux system is bash. Therefore, in order to monitor the execution command of the target account after logging in the host, the technical scheme adaptively modifies the existing bash, and then, monitors and judges the command parameters when the bash is used by detecting the use of the bash logging in the SSH. If the target account is detected not to be the login container, the bash is ended, and then the SSH login is quitted, so that the host machine is prevented from being maliciously stayed.
Specifically, for a container user, after applying for the container usage right, the account of the user has the login right of the relevant host. Referring to table 2 again, each account having the authority to log in the Linux system (the host is the Linux system) has a barrel field, where "/bin/barrel" indicates the shell program information after the user logs in the Linux system through the account.
TABLE 2
Figure BDA0002940892170000111
For example, the account number of qinbochen is: # getend past | grep qinbochen. After logging in the host machine through the account, the shell program information corresponding to the account can be checked as follows: qinbochen: x:12345: 100:/bin/eash:/data/home/qinbochen:/bin/bash.
For example, for the account number qinbochen, the last field "/bin/bash" of the corresponding shell program information may be modified to "/bin/docker _ bash", so as to enhance monitoring and judgment of command parameters when the bash is used. The modified shell program information of the account number qinbochen is specifically as follows: qinbochen: x:2345: 100:/bin/ear:/data/home/qinbochen:/bin/docker _ bash.
Further, in this embodiment, a command executed by the target account after logging in the host is monitored by acquiring a "/bin/docker _ bash" execution bash command parameter.
Continuing with fig. 3, in step S340, in response to the target account not being used for cutting into a container in the host, logging out of the target account on the host.
In an exemplary embodiment, referring to fig. 5, in step S510, after the target account logs in to the host, it is determined whether an execution command from the target account is received within a first preset time period. In response to not receiving the execution command from the target account, step S520 is executed to determine that the target account is not used for cutting into the container in the host. In response to receiving the execution command from the target account, step S530 is performed to check the validity of the execution command. Further, if the execution instruction is illegal, step S520 is executed again to determine that the target account is not used for switching into the container in the host. If the execution instruction is legal, step S540 is executed to determine that the target account is used for switching into the container in the host machine.
The first preset time period is a short time period (for example, may be set to 5 milliseconds) set according to actual needs, and this time period is not limited in the present technical solution.
Illustratively, the validity check method for the execution command from the target account received within the first preset time after logging in the host machine is as follows: and judging whether the instruction is legal or not by checking whether the execution instruction is a preset instruction or not. The preset instruction is an instruction for switching into a container in the host. The specific instruction form of the technical scheme is not limited, and can be determined according to the actual instruction for switching into the container in the host machine. Specifically, if the instruction is different from the preset instruction, the instruction is determined to be illegal. Otherwise, if the instruction is the same as the preset instruction, the instruction is determined to be legal.
In another exemplary embodiment, a command executed by the target account after logging in the host is monitored by acquiring a "/bin/docker _ bash" execution bash command parameter. Specifically, the bash command execution parameter within a second preset time after the target account SSH logs in the host is obtained.
The second preset time period is a shorter time period (for example, may be set to 5 milliseconds) set according to actual needs, and this time period is not limited in the present technical solution.
Responding to that the parameters of the shell program acquired within the second preset time are null, and indicating that the user does not cut into the container after SSH logs in the host machine, in order to avoid the account number maliciously staying in the host machine, the method can end the hash corresponding to the target account number, and then end the SSH logging of the target account number in the host machine, so as to force the target account number to quit logging.
And responding to the fact that the parameters of the shell program acquired within the second preset time period are not empty, and then further checking the legality of the acquired parameters of the shell program. Illustratively, a determination is made as to whether the parameter passed to the bash is "sudo docker exec". If yes, the description parameter is legal, namely the user SSH switches in the container after logging in the host machine, the login state of the target account is kept, and the user is ensured to normally use the container.
If the parameters transmitted to the bash are illegal, the SSH login of the target account in the host machine can be ended by ending the bash corresponding to the target account, so that the target account is forced to quit the login, potential right-lifting attempts are prevented, and the function of protecting the host machine is achieved.
It should be noted that the first preset time period and the second preset time period are both parameters set according to actual needs. For example, the values of the first preset time and the second preset time may be zero, that is, if the command for the account to log in the host carries a command for switching into the container, the login state of the account is maintained, or if the command for the account to log in the host does not carry the command for switching into the container, the login of the account in the host is forcibly exited.
In an exemplary embodiment, the usage of the command may also be collected through "/bin/docker _ bash" and sent to the background for recording and statistics. Therefore, the background can count the login condition of the user using the container in the whole network, and the auditing effect is achieved.
In an exemplary embodiment, fig. 6 shows a flow diagram of a container host based security protection method in a further exemplary embodiment of the disclosure.
Referring to fig. 6, in step S61, the user initiates container usage, such as creating a container, destroying the container, rebuilding the container, etc., to the container management backend 620 through the terminal 610.
In step S62, the container management background 620 initiates a corresponding container operation to the host 640 according to the instruction of the user. Specifically, the host ip of the container to be logged in may be checked through step S22, and further, SSH login is performed on the host according to the host ip.
In step S63, the container management background 620 initiates a notification to the rights management background 630, informing the rights management background 630 that the user has added rights to the container.
In step S64, the rights management backend 630 issues rights change information to the host 640 where the container is located, where the rights change information includes the login rights of the account to the host and the usage rights of the account to the container. The login authority of the host machine can ensure that the user can log in the host machine through SSH.
In an exemplary embodiment, for a user without a container usage right (e.g., a non-container person in charge, etc.), the related right may be obtained by applying for the container usage right. Specifically, referring to fig. 7, a flow chart of a method for applying for a permission in an exemplary embodiment of the present disclosure is shown, which includes:
in step S71, the user initiates a container right application through the terminal 610. Illustratively, a user without container usage rights initiates the application, e.g., a non-container principal initiates the application. And the container principal can set up that the related container rights are available by default without requiring a legal rights application.
In step S72, the authority management background 630 determines the user initiating the authority application, and generates an account after confirming that the authority application is reasonable. Further, the bash field of the account may be modified into a dedicated/bin/docker _ bash path to enhance monitoring and judgment of command parameters when the bash is used, so as to judge whether the account is cut into a container after logging in an SSH host.
In step S73, the rights management backend 630 issues an account to the host 640. Illustratively, the local account may be added through an openldap scheme or a service operation platform, and it is ensured that the host 640 deploys the dedicated bash.
The reference command for adding or modifying the account bash through the service operation platform is as follows:
usermod-s/bin/docker _ bash qinbochen (for existing account numbers, modifications are required).
user add-s/bin/docker _ bash qinbochen (for no account number, need to be added).
For example, it may be ensured by the operation and maintenance platform that all hosts have the/bin/docker _ bash program installed. Possible implementations of the program may refer to the code as shown in table 4.
And step S74, logging in the host by the user SSH according to the account.
Illustratively, a user may directly enter the container by means of the container login tool go _ docker, and the corresponding implementation may be as shown in table 3:
TABLE 3
Figure BDA0002940892170000141
Among them, the passage in table 3 is generally an automatic answer by a go _ docker tool, and does not need manual input. Or by verifying other valid credentials such as certificates, self-developed tickets, etc. And the container ID generally supports the input of the first few bits, the input of the complete container ID is not needed, and the background fuzzy matches the complete container, so that the use by a user is facilitated. If the parameter transmitted to the bash is verified to be legal through the method provided by the embodiment, the parameter stays in the bash of the container, so that the user can use the container normally.
For example, for the way of skipping the container login tool go _ docker and then the container, the SSH is used to directly log in the host and no illegal account switching into the container is performed, which may be that no parameter is intended to stay on the host, or that other command parameters are authorized or destroyed to the host. In order to avoid that such illegal users compromise the security of the host, the validity of the parameter transferred to the bash is verified in the manner provided by the above embodiment, that is, step S75 is executed: the SSH connection of the host performs a dedicated/bin/docker _ bash, which performs parameter detection.
Step S76, if the special bash detects that the transferred parameter is not cut into the container, that is, the parameter transferred to the bash is illegal, the bash process is directly ended, thereby the SSH login is ended, and the account is forced to quit the login, so as to protect the security of the host. Wherein, a reference code of the special bash is as shown in table 4:
TABLE 4
Figure BDA0002940892170000151
Figure BDA0002940892170000161
In an abnormal situation, if a user logs in a host machine directly by using SSH without using the encapsulated tool go _ docker and does not perform container cutting, the corresponding account is forcibly logged out. Illustratively, a page such as table 5 may be displayed at the terminal:
TABLE 5
Figure BDA0002940892170000162
By the technical scheme, illegal users can be prevented from bypassing the go _ docker login tool, the SSH tool is directly used for logging in the host machine and maliciously staying in the host machine without entering the container, and then other rights-giving activities are prevented from being tried in the host machine or damage and invasion activities are implemented, so that the safety of the host machine is effectively guaranteed.
With continued reference to FIG. 7, step S77, for abnormal login usage, the behavior is sent to the audit trail 710. For anomalous usage, the background will be informed of platform dependent personnel. And a special bash is developed, the bash can further send login and use conditions to an audit background besides the detection logic, and the audit background can control illegal use conditions so as to find abnormal conditions.
Those skilled in the art will appreciate that all or part of the steps to implement the above embodiments are implemented as computer programs executed by a processor (including a CPU and a GPU). Which when executed by a processor performs the above-described functions as defined by the above-described method provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following introduces the safety protection device based on the container host machine provided by the technical scheme:
the embodiment of the invention provides a safety protection device based on a container host. Referring to fig. 8, the container host-based security protection apparatus 800 includes: an authority determination module 801, a listening module 802, a hand-in determination module 803, and an exit module 804.
Wherein the permission determination module is configured to: determining that a target account has at least one of permission to use a target container and permission to log on to a host where the container is stored; the listening module 802 is configured to: responding to the target account number to log in the host machine, and monitoring an execution command of the target account number on the host machine; the hand-in determination module 803 described above, is configured to: determining whether the target account is used for switching into a container in the host machine or not according to a monitoring result; and the exit module 804 is configured to: and responding that the target account is not used for switching into the container in the host machine, and logging out of the target account in the host machine.
In an exemplary embodiment, based on the foregoing scheme, the hand-in determination module 803 is specifically configured to: and if the monitoring result is that the execution command from the target account is not received within a first preset time after the target account logs in the host, determining that the target account is not used for switching into a container in the host.
In an exemplary embodiment, based on the foregoing solution, the apparatus further includes: a verification module 805.
Wherein the verification module 805 is configured to: if the monitoring result is that an execution command from the target account is received within the first preset time after the target account logs in the host machine, and the legality of the execution command is checked; if the execution command is legal, determining that the target account is used for switching into a container in the host machine; or, if the execution command is illegal, determining that the target account is not used for switching into the container in the host machine.
In an exemplary embodiment, based on the foregoing scheme, the foregoing listening module 802 is specifically configured to: and logging in the host machine through a shell program in response to the received target account, and monitoring an execution command of the target account on the host machine by acquiring parameters of the shell program.
In an exemplary embodiment, based on the foregoing scheme, the hand-in determining module 803 is specifically configured to: acquiring parameters of the shell program within a second preset time after the target account logs in the host; and in response to the parameter of the shell program acquired within the second preset time period being null, determining that the execution command is not used for switching into the container in the host.
In an exemplary embodiment, based on the foregoing scheme, the verification module 805 is specifically configured to: in response to that the parameters of the shell program acquired within the second preset time period are not empty, checking the validity of the parameters of the shell program acquired within the second preset time period; if the parameters of the shell program are legal, determining that the target account number is used for switching into a container in the host machine; or if the parameters of the shell program are illegal, determining that the target account is not used for switching into the container in the host machine.
In an exemplary embodiment, based on the foregoing solution, the apparatus further includes: a login module 806.
Wherein the login module 806 is configured to: acquiring the identifier of a target container to be logged in by the target account; determining address information of a host machine corresponding to the target container according to the identification of the target container; and enabling the target account to log in the host machine according to the address information of the host machine.
In an exemplary embodiment, based on the foregoing solution, the apparatus further includes: a recording module 807.
Wherein the recording module 807 is configured to: and recording the withdrawn target account after the target account is withdrawn from the host to log in the host, so as to record the account illegally logged in the host.
The specific details of each module or unit in the above-mentioned security protection apparatus based on a container host have been described in detail in the corresponding security protection method based on a container host, and therefore are not described herein again.
FIG. 9 illustrates a schematic structural diagram of a computer system suitable for use with the electronic device to implement an embodiment of the invention.
It should be noted that the computer system 900 of the electronic device shown in fig. 9 is only an example, and should not bring any limitation to the function and the application scope of the embodiment of the present invention.
As shown in fig. 9, computer system 900 includes a processor 901, wherein processor 901 may comprise: a Graphics Processing Unit (GPU), a Central Processing Unit (CPU), which can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for system operation are also stored. A processor (GPU/CPU)901, a ROM 902, and a RAM 903 are connected to each other via a bus 904. An Input/Output (I/O) interface 905 is also connected to bus 904.
The following components are connected to the I/O interface 905: an input portion 906 including a keyboard, a mouse, and the like; an output section 907 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage portion 908 including a hard disk and the like; and a communication section 909 including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. A drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 910 as necessary, so that a computer program read out therefrom is mounted into the storage section 908 as necessary.
In particular, the processes described below with reference to the flowcharts may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 909, and/or installed from the removable medium 911. When executed by a processor (GPU/CPU)901, the computer program performs various functions defined in the system of the present application. In some embodiments, computer system 900 may also include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.
It should be noted that the computer readable medium shown in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may be separate and not incorporated into the electronic device. The computer readable medium carries one or more programs, which when executed by one of the electronic devices, cause the electronic device to implement the method described in the above embodiments.
For example, the electronic device may implement the following as shown in fig. 3: step S310, determining that the target account has at least one of the right to use a target container and the right to log in a host, wherein the container is stored in the host; step S320, responding to the target account number logging in the host machine, and monitoring an execution command of the target account number in the host machine; step S330, judging whether the target account is used for switching into a container in the host machine or not according to a monitoring result; and step S340, responding to the condition that the target account is not used for switching into the container in the host machine, and quitting the login of the target account in the host machine.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. A safety protection method based on a container host machine is characterized by comprising the following steps:
determining that a target account has at least one of permission to use a target container and permission to log on to a host machine, wherein the container is stored at the host machine;
responding to the target account to log in the host machine, and monitoring an execution command of the target account on the host machine;
determining whether the target account is used for switching into a container in the host machine or not according to a monitoring result;
and responding that the target account is not used for switching into a container in the host machine, and quitting the login of the target account in the host machine.
2. The container host machine-based security protection method of claim 1, wherein determining whether the target account is used for switching in a container in the host machine by monitoring a result comprises:
and if the monitoring result is that the target account is not received an execution command from the target account within a first preset time period after the target account logs in the host, determining that the target account is not used for switching into a container in the host.
3. The container host based security protection method of claim 2, further comprising:
if the monitoring result is that the target account logs in the host machine, an execution command from the target account is received within the first preset time length, and the legality of the execution command is checked;
if the execution command is legal, determining that the target account is used for switching into a container in the host machine; or if the execution command is illegal, determining that the target account number is not used for switching into the container in the host machine.
4. The container host-based security protection method according to claim 1, wherein monitoring an execution command of the target account at the host in response to the target account logging in the host comprises:
and responding to the received target account number to log in the host machine through a shell program, and monitoring an execution command of the target account number on the host machine by acquiring parameters of the shell program.
5. The container host machine-based security protection method according to claim 4, wherein determining whether the target account is used for switching in a container in the host machine by monitoring a result comprises:
acquiring parameters of the shell program within a second preset time after the target account logs in the host;
and in response to the situation that the parameter of the shell program acquired within the second preset time is empty, determining that the execution command is not used for switching into the container in the host.
6. The container host-based security protection method of claim 5, further comprising:
in response to the fact that the parameters of the shell program acquired within the second preset time period are not empty, checking the validity of the parameters of the shell program acquired within the second preset time period;
if the parameters of the shell program are legal, determining that the target account is used for switching into a container in the host machine; or if the parameters of the shell program are illegal, determining that the target account is not used for switching into the container in the host machine.
7. The container host machine-based security protection method according to any one of claims 1 to 6, wherein the target account number logs in the host machine, and comprises:
acquiring an identifier of a target container to be logged in by the target account;
determining address information of a host machine corresponding to the target container according to the identification of the target container;
and enabling the target account to log in the host machine according to the address information of the host machine.
8. The container host machine-based security protection method according to any one of claims 1 to 6, wherein after logging out of the target account at the host machine, the method further comprises:
and recording the withdrawn target account so as to realize the recording of the account illegally logged in the host machine.
9. A container host-based security protection apparatus, the apparatus comprising:
a permission determination module configured to: determining that a target account has at least one of permission to use a target container and permission to log on to a host where the container is stored;
a listening module configured to: responding to the target account to log in the host machine, and monitoring an execution command of the target account on the host machine;
a hand-in determination module configured to: determining whether the target account is used for switching into a container in the host machine or not according to a monitoring result;
an exit module configured to: and responding that the target account is not used for switching into a container in the host machine, and quitting the login of the target account in the host machine.
10. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any one of claims 1 to 8 via execution of the executable instructions.
CN202110178890.5A 2021-02-09 2021-02-09 Safety protection method and device based on container host machine and electronic equipment Pending CN114912104A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110178890.5A CN114912104A (en) 2021-02-09 2021-02-09 Safety protection method and device based on container host machine and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110178890.5A CN114912104A (en) 2021-02-09 2021-02-09 Safety protection method and device based on container host machine and electronic equipment

Publications (1)

Publication Number Publication Date
CN114912104A true CN114912104A (en) 2022-08-16

Family

ID=82762328

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110178890.5A Pending CN114912104A (en) 2021-02-09 2021-02-09 Safety protection method and device based on container host machine and electronic equipment

Country Status (1)

Country Link
CN (1) CN114912104A (en)

Similar Documents

Publication Publication Date Title
Moustafa et al. Federated TON_IoT Windows datasets for evaluating AI-based security applications
Tien et al. KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN113302609A (en) Detecting inappropriate activity in the presence of unauthenticated API requests using artificial intelligence
EP3414663A1 (en) Automated honeypot provisioning system
TW201642618A (en) System and method for threat-driven security policy controls
WO2007124206A2 (en) System and method for securing information in a virtual computing environment
CN112926048B (en) Abnormal information detection method and device
CN113704767A (en) Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system
US11481478B2 (en) Anomalous user session detector
JP2019536158A (en) Method and system for verifying whether detection result is valid or not
Chouhan et al. Software as a service: Understanding security issues
US20230362142A1 (en) Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing
CN113014571A (en) Method, device and storage medium for processing access request
WO2019018829A1 (en) Advanced cybersecurity threat mitigation using behavioral and deep analytics
CN110099041A (en) A kind of Internet of Things means of defence and equipment, system
CN111212077B (en) Host access system and method
Kang et al. A strengthening plan for enterprise information security based on cloud computing
CN111641652A (en) Application security service platform based on cloud computing
Chaudhari et al. A review on cloud security issues and solutions
CN108347411B (en) Unified security guarantee method, firewall system, equipment and storage medium
CN114912104A (en) Safety protection method and device based on container host machine and electronic equipment
CN113992366A (en) Network data transmission method, device, equipment and storage medium
Arul et al. Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud
WO2022046365A1 (en) Advanced detection of identity-based attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination