CN115344868A - Automatic operation and maintenance script safety guarantee method - Google Patents

Abstract

The invention provides a safety guarantee method for an automatic operation and maintenance script, which comprises the following steps: (1) presetting rules; (2) Appointing a script auditor to perform manual intervention, calculating the script proportion of each service, calculating the change of system resources caused by each service, calculating the proportion of uplink flow and downlink flow of each service in T time, obtaining a service risk value of each service, determining a suspected dangerous script and informing the script auditor to perform auditing treatment; (3) analyzing the script; (4) regular scanning; and (5) dynamically auditing. The invention has the beneficial effects that: the system is subjected to timed and quantitative manual intervention according to the current system operation condition, so that the safe operation of the operation and maintenance system can be guaranteed, and the misjudgment caused by service change is avoided. The invention does not need a large amount of manual operation, has small calculated amount and accurate analysis, thereby greatly reducing misjudgment and improving the monitoring coverage and the accuracy.

Description

Automatic operation and maintenance script safety guarantee method

Technical Field

The invention relates to the field of automation operation and maintenance, in particular to a safety guarantee method for an automation operation and maintenance script.

Background

The IT system can typically audit the actual execution script based on the parameter configuration and sensitive commands, thereby ensuring that the script is executed securely on the resource device. The decision steps of most current methods are as follows: (1) presetting rules: after the system is installed, automatically calling an initialization script to initialize a preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and allowing to adjust and appoint a script auditor according to the requirement; (2) script parsing: reading the script file line by line, analyzing the command line according to the script analyzer, outputting the analyzed command line, and triggering the rule scanning; (3) regular scanning: performing regular operation on the analyzed command line according to the matching rule, and outputting and recording a sensitive command line; and (4) dynamic auditing: and the dynamic audit informs an auditor and carries out audit processing on the sensitive command line.

In fact, scripts that run automatically are more likely to produce system attack behavior than scripts that operate manually. In the actual running process of the script, system resources are always automatically configured, and further, various changes such as communication traffic, running script types and the like are caused. The existing method usually depends on analyzing the script and matching the rule to check the script, and does not consider the change of the system configuration communication traffic and the like caused by the service change. However, the attack process usually occurs in a particularly regular operation and maintenance system, and the prior art has the disadvantage that the script data is only audited based on a method for analyzing the script and matching the rule, and the manual intervention for timing and quantifying the operation and maintenance system is not considered. Therefore, it is easy to misjudge a change in system configuration, traffic amount, and the like due to a service change.

Disclosure of Invention

Aiming at the problem that the existing operation and maintenance system script safety guarantee method only analyzes data of script data and depends on a rule matching method to a great extent, the invention provides an automatic operation and maintenance script safety guarantee method, and a manually defined script risk assessment method is introduced on the basis of preset rules.

The object of the present invention is achieved by the following technical means. An automatic operation and maintenance script safety guarantee method comprises the following steps:

(1) And presetting rules: after the system is installed, automatically calling an initialization script to initialize a preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and allowing to adjust and appoint a script auditor according to the requirement;

(2) Appointing a script auditor to perform manual intervention, counting the running condition of the system in T time from the current moment, calculating the script proportion of each service, calculating the change of system resources caused by each service, calculating the proportion of uplink flow and downlink flow of each service in T time, obtaining the service risk value of each service, determining a suspected dangerous script and informing the script auditor to perform audit processing;

(3) And script analysis: forming a script file for the script which is not identified as the suspected dangerous script; reading the script file line by line from top to bottom, analyzing according to the script analyzer, outputting the analyzed command line, and triggering regular scanning;

(4) And regular scanning: scanning the analyzed command line by line, performing regular matching operation on the analyzed command line according to a matching rule expression, outputting a sensitive command line and recording the sensitive command line;

(5) And dynamic auditing: and checking whether a sensitive command line exists in the scanning result, and if so, informing a script auditor to audit.

The specific method comprises the following steps:

(2.1) observing the running condition within the T time from the current moment to the front;

(2.2) computing service A _i Script proportion of P _i ，

Wherein N denotes the number of services, A _i Service denoted by reference number i, count (A) _i ) Representing service A _i The number of scripts called in T time;

(2.3) a cause of computing service A _i Induced change of system resource

The index data of the system resources comprises the occupancy rate of a disk space, the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the number of used ports, the number of starting items and the number of used databases;

(2.4) calculating the service A in the T time _i Ratio of uplink traffic to downlink traffic of _i ，

(2.5) calculating business risk value

Wherein beta is ₁ +β ₂ +β ₃ ＝1，β ₁ ，β ₂ ，β ₃ Is a risk factor;

(2.6) when the system runs, the business risk value is calculated

And setting the service larger than the threshold value as a suspected dangerous service, and setting a script called in the suspected dangerous service as a suspected dangerous script.

Furthermore, in the step (2.3), the specific method is as follows: specifically, statistical service A _i Calculating the difference value between the index data of the system resources in the T time and the index data in normal operation without any application, and normalizing to obtain the service A _i Induced changes in system resources

Wherein k is ₁ +k ₂ +k ₃ +k ₄ +k ₅ +k ₆ ＝1，k ₁ ，k ₂ ，k ₃ ，k ₄ ，k ₅ ，k ₆ Is a coefficient of proportionality that is,

representing service A _i Disk space occupancy rate, disk, in normal operation without any application _i Representing service A _i The disk occupancy rate of (a) is,

representing service A _i The maximum allowed disk occupancy;

representing service A _i CPU utilization during normal operation without any application, CPU _i Representing service A _i The utilization rate of the CPU,

representing service A _i Maximum CPU utilization allowed;

representing service A _i Memory utilization, mem, when no application is running under normal conditions _i Representing service A _i The utilization rate of the memory of (a) is,

representing service A _i Maximum allowed memory utilization;

representing service A _i Number of ports used during normal operation without any application, port _i Representing service A _i The number of ports to be used of (c),

representing service A _i The maximum number of allowed port uses;

representing service A _i Number of Start items when no application is running under normal conditions, start _i Representing service A _i The number of the starting items of (2),

representing service A _i The maximum number of the allowed starting items;

representing service A _i Number of database uses, DB, when no application is running under normal conditions _i Representing service A _i The number of the used databases of (a) is,

representing service A _i The maximum number of database uses allowed.

Furthermore, in the step (2.4), the specific method is as follows:

OUT _i indicates the upstream flow, IN _i Indicating the downlink flow;

out _j representing service A _i Length of corresponding j-th uplink flow in _j Representing service A _i The length of the corresponding j-th downlink flow, m and n respectively represent the service A _i The number of the uplink flow and the downlink flow in the T time.

The beneficial effects of the invention are as follows: the invention carries out timed and quantitative manual intervention on the system according to the current system operation condition, can ensure the safe operation of the operation and maintenance system, and avoids misjudgment caused by service change. The invention does not need a large amount of manual operation, has small calculated amount and accurate analysis, thereby greatly reducing misjudgment and improving the monitoring coverage and the accuracy.

Drawings

FIG. 1 is a schematic flow chart of a security method for executing an automated operation and maintenance script according to the present invention;

FIG. 2 is a schematic flow chart of selecting a suspected danger script file for manual intervention;

FIG. 3 is a schematic view of a script parsing flow;

fig. 4 is a schematic diagram of a rule scanning process.

Detailed Description

The invention will be described in detail with reference to the following figures and examples:

as shown in fig. 1, in an automatic operation and maintenance script security guarantee method, rule presetting is performed first during system initialization, and then the following is implemented by running 4 modules: the system comprises a preset rule and manual intervention module, a script analysis module, a rule scanning module and a dynamic auditing module. Wherein: 1. and the preset rule and manual intervention module is used for obtaining a suspected dangerous script file by calculating the service risk value. 2. The script analysis module is used for reading and analyzing the script line by line from top to bottom through the script analyzer and outputting the analyzed script, and then triggering and calling rule scanning to perform rule matching operation on the analyzed script; 3. the rule scanning module is used for acquiring the analyzed and output script lines, performing regular matching operation according to the scanning rule, and outputting and storing the sensitive command lines; 4. and the dynamic auditing module checks whether the scanning result has a sensitive command line, automatically informs an auditor to audit if the scanning result has the sensitive command line, and otherwise, does not process the scanning result. Generally, script files are executed in three ways: manual execution, timed execution, and third party call execution. The method comprises the following steps:

(1) And presetting rules: after the system is installed, automatically calling the initialization script to initialize the preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and the preset script sensitive command and the parameter value matching rule are allowed to be adjusted and appointed as required;

(2) The method comprises the following steps of appointing script auditors to perform manual intervention, determining suspected dangerous scripts from three dimensions of the service operated by a system, wherein the three dimensions are respectively the operation script proportion of each service, the change of system resources caused by service change and the proportion of uplink and downlink flow, finally calculating a service risk value for each service, and setting a corresponding script file as a suspected dangerous script file when the value is greater than 0.7, wherein the specific steps are as follows:

(2.1) observing the running condition within the T time from the current moment to the front;

(2.2) computing service A _i Script proportion of P _i ，

Specifically, each service a is counted _i The script sequence used by the terminal in T time, wherein N represents the number of services, A _i Denotes a service, count (A), denoted by reference number i _i ) Representing service A _i The number of scripts called in T time;

(2.3) account cause service A _i Induced changes in system resources

The index data of the system resources comprises the occupancy rate of a disk space, the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the number of used ports, the number of starting items and the number of used databases;

specifically, statistical service A _i Calculating the difference value between the index data of the system resources in the T time and the index data in normal operation without any application, and normalizing to obtain the service A _i Induced change of system resource

Wherein k is ₁ +k ₂ +k ₃ +k ₄ +k ₅ +k ₆ ＝1，k ₁ ，k ₂ ，k ₃ ，k ₄ ，k ₅ ，k ₆ The scale factor is preset to be 1/6,

representing service A _i Disk space occupancy rate, disk, in normal operation without any application _i Representing service A _i The disk occupancy rate of (a) is,

representing service A _i The maximum allowed disk occupancy;

representing service A _i CPU utilization during normal operation without any application, CPU _i Representing service A _i The utilization rate of the CPU,

representing service A _i Maximum allowed CPU utilization;

representing service A _i Memory utilization, mem, at normal times when no application is running _i Representing service A _i The utilization rate of the memory of the system,

representing service A _i Maximum allowed memory utilization;

representing service A _i Number of ports used during normal operation without any application, port _i Representing service A _i The number of the ports to be used,

representing service A _i The maximum number of allowed port uses;

representing service A _i Number of Start items when no application is running under normal conditions, start _i Representing service A _i The number of the starting items of (2),

representing service A _i The maximum number of the allowed starting items;

representing service A _i Number of database uses, DB, when no application runs under normal conditions _i Representing service A _i The number of the used databases of (2),

representing service A _i The maximum number of database uses allowed.

(2.4) calculating the service A in the T time _i Ratio of uplink traffic to downlink traffic of _i ，

OUT _i Indicates the upstream flow, IN _i Indicating the downlink flow;

out _j representing service A _i Length of corresponding j-th uplink flow in _j Representing service A _i The length of the corresponding jth downlink flow, m and n respectively represent the service A _i And the flow number of the uplink flow and the downlink flow in the T time.

(2.5) calculating business risk value

Wherein beta is ₁ +β ₂ +β ₃ ＝1，β ₁ ，β ₂ ，β ₃ The risk coefficient can be preset to be 1/3;

(2.6) when the system runs, the business risk value is calculated

And setting the service larger than the threshold (which can be preset to be 0.7) as a suspected dangerous service, and setting the script called in the suspected dangerous service as a suspected dangerous script.

(3) And script analysis: forming script files for scripts that are not identified as suspected dangerous scripts (i.e., storing the collected scripts in a file); reading the script file line by line from top to bottom, analyzing according to the script analyzer, outputting the analyzed command line, and triggering regular scanning;

FIG. 3 details the script parsing process of the present invention: when executing the script, firstly reading the script content line by line; secondly, reading the script content of each line, analyzing the script content through a script analyzer, and outputting CmdLine, such as the contents of the script file lines: rm-rf $ { path }, path parameter value: v, output CmdLine: { "lineNum":1, "parsedcdline": rm-rf/"}; and finally triggering and calling rule scanning to scan the CmdLine.

(4) And regular scanning: as shown in fig. 4, the analyzed command line is scanned line by line, and the analyzed command line is subjected to regular matching operation according to the matching rule expression, and a sensitive command line is output and recorded;

FIG. 4 details the rule scanning process in the present invention: when the command is triggered and called, firstly reading the analyzed command line CmdLine; and secondly, reading a command line matching rule to perform regular operation on the analyzed command line CmdLine, and outputting a sensitive command line, such as' CmdLine: { "lineNum":1, "parsedcdline": "rm-rf/" }, cmdRegex: rm-rf \ and outputs ResultLine { "LineNum":1, "parsecmdLine": rm-rf/"}; and finally, storing all the sensitive command lines and establishing a relation with the script file as a basis for dynamically auditing the automatic notification and auditing the script by auditors.

(5) And dynamic auditing: and checking whether a scanning result has a sensitive command line, if so, notifying a script auditor to audit, and if not, not processing.

It should be understood that the technical solutions and the inventive concepts of the present invention should be replaced or changed by equivalents and modifications to the technical solutions and the inventive concepts of the present invention by those skilled in the art.

Claims (4)

1. An automatic operation and maintenance script safety guarantee method is characterized by comprising the following steps: the method comprises the following steps:

(1) And presetting rules: after the system is installed, automatically calling an initialization script to initialize a preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and allowing to adjust and appoint a script auditor according to the requirement;

(2) Appointing a script auditor to perform manual intervention, counting the running condition of the system in T time from the current time, calculating the script proportion of each service, calculating the change of system resources caused by each service, calculating the proportion of uplink flow and downlink flow of each service in T time, and obtaining the service risk value of each service, thereby determining the suspected dangerous script;

(3) And script analysis: forming a script file for the script which is not determined as the suspected dangerous script; reading the script files line by line from top to bottom, analyzing according to a script analyzer, outputting an analyzed command line, and triggering regular scanning;

(4) And regular scanning: scanning the analyzed command line by line, performing regular matching operation on the analyzed command line according to a matching rule expression, outputting a sensitive command line and recording the sensitive command line;

(5) And dynamic auditing: and checking whether a sensitive command line exists in the scanning result, and if so, informing a script auditor to audit.

2. The automated operation and maintenance script security assurance method of claim 1, wherein: in the step (2), the specific method is as follows:

(2.1) observing the operation condition in T time before the current moment;

(2.2) computing service A _i Script proportion of P _i ，

Wherein N denotes the number of services, A _i Service denoted by reference number i, count (A) _i ) Representing service A _i The number of scripts called in T time;

(2.3) a cause of computing service A _i Induced change of system resource

The index data of the system resources comprises the occupancy rate of a disk space, the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the number of used ports, the number of started items and the number of used databases;

(2.4) calculating the service A in the T time _i Ratio of uplink traffic to downlink traffic of _i ，

(2.5) calculating business risk value

Wherein, beta ₁ +β ₂ +β ₃ ＝1，β ₁ ，β ₂ ，β ₃ Is a risk factor;

(2.6) when the system runs, the business risk value is calculated

And setting the service larger than the threshold value as a suspected dangerous service, and setting a script called in the suspected dangerous service as a suspected dangerous script.

3. The automated operation and maintenance script security assurance method of claim 2, wherein: in the step (2.3), the specific method is as follows: specifically, statistical service a _i Calculating the difference value between the index data of the system resources in the T time and the index data in normal operation without any application, and normalizing to obtain the service A _i Induced changes in system resources

Wherein k is ₁ +k ₂ +k ₃ +k ₄ +k ₅ +k ₆ ＝1，k ₁ ，k ₂ ，k ₃ ，k ₄ ，k ₅ ，k ₆ Is a coefficient of proportionality that is,

representing service A _i Disk space occupancy, disk, under normal conditions when no application is running _i Representing service A _i The disk occupancy rate of (a) is,

representing service A _i The maximum allowed disk occupancy;

representing service A _i CPU utilization during normal operation without any application, CPU _i Representing service A _i The utilization rate of the CPU,

representing service A _i Maximum CPU utilization allowed;

representing service A _i Memory utilization, mem, at normal times when no application is running _i Representing service A _i The utilization rate of the memory of the system,

representing service A _i Maximum allowed memory utilization;

representing service A _i Number of ports used during normal operation without any application, port _i Representing service A _i The number of ports to be used of (c),

representing service A _i The maximum number of ports to be allowed;

representing service A _i Number of Start items when no application is running under normal conditions, start _i Representing service A _i The number of the starting items of (2),

representing service A _i The maximum number of the allowed starting items;

representing service A _i Number of database uses, DB, when no application is running under normal conditions _i Representing service A _i The number of the used databases of (2),

representing service A _i Maximum number of database uses allowed。

4. The automated operation and maintenance script security assurance method of claim 2, wherein: in the step (2.4), the specific method is as follows:

OUT _i indicates the upstream flow, IN _i Indicating the downlink flow;

out _j representing service A _i Length of corresponding j-th uplink flow in _j Representing service A _i The length of the corresponding j-th downlink flow, m and n respectively represent the service A _i The number of the uplink flow and the downlink flow in the T time.

Images