CN117319044A - Method, device, equipment and medium for monitoring linux illegal operation - Google Patents
Method, device, equipment and medium for monitoring linux illegal operation Download PDFInfo
- Publication number
- CN117319044A CN117319044A CN202311287216.6A CN202311287216A CN117319044A CN 117319044 A CN117319044 A CN 117319044A CN 202311287216 A CN202311287216 A CN 202311287216A CN 117319044 A CN117319044 A CN 117319044A
- Authority
- CN
- China
- Prior art keywords
- instruction
- linux
- executed
- command
- current input
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012544 monitoring process Methods 0.000 title claims abstract description 30
- 238000004590 computer program Methods 0.000 claims description 16
- 238000012806 monitoring device Methods 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 11
- 238000007405 data analysis Methods 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 abstract description 22
- 230000006399 behavior Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 238000012423 maintenance Methods 0.000 description 9
- 238000007726 management method Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 238000012550 audit Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0681—Configuration of triggering conditions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a linux illegal operation monitoring method, device, equipment and medium. The linux illegal operation monitoring method comprises the following steps: collecting a fort command execution log of a Linux server; analyzing command execution logs of the fort machine, and determining a current input instruction and a current target instruction to be executed; and generating Linux illegal operation alarm data when the current input instruction is not matched with the current target instruction to be executed. The technical scheme of the embodiment of the invention can be not limited by imperfect auditing mechanism of the fort machine, accurately identify the instruction bypassing the auditing mechanism, and realize effective monitoring of illegal operation, thereby ensuring the safety of executing the command on the linux server.
Description
Technical Field
The present invention relates to the field of network operation and maintenance technologies, and in particular, to a method, an apparatus, a device, and a medium for monitoring linux illegal operations.
Background
In the informatization construction of modern enterprises, linux (GNU/Linux, a freely used and freely spread UNIX-like operating system) server plays a crucial role. Management and protection of these servers is also becoming a serious concern.
The fort machine is widely applied to terminal management and command audit of the Linux server, has double checking functions, and plays a key role in Linux server management. The fort machine is used as a transfer station, performs terminal management and command audit on the server through authorized login, and provides higher security and controllability for enterprises. Double rechecking is an important function of the fort machine, and aims to reduce damage to a system and business caused by misoperation and malicious behaviors, and huge risks are brought to the operation of the commands if the commands can be executed without rechecking. Through double recheck, multiple people participate, and the disastrous results caused by misoperation of one person can be avoided.
However, for high-level administrators, the double review function of the fort machine can be bypassed to gain greater authority or to perform unrestricted operations. Because of the imperfect checking mechanism, the high risk command is ignored or bypassed by using the command without checking, so that the command without checking is abused or misoperated, namely, the authority-sensitive operation is executed under the condition of not being checked, the attacker can be organically multiplied, and the potential attack is carried out by utilizing the loophole of the command without checking, which constitutes a great threat to the security of enterprises.
Disclosure of Invention
The invention provides a method, a device, equipment and a medium for monitoring linux illegal operation, which are used for solving the problem that unrecognized commands cannot be identified in the linux server due to imperfect auditing mechanisms of a fort machine.
According to an aspect of the present invention, there is provided a linux violation operation monitoring method, including:
collecting a fort command execution log of a Linux server;
analyzing command execution logs of the fort machine, and determining a current input instruction and a current target instruction to be executed;
and generating Linux illegal operation alarm data when the current input instruction is not matched with the current target instruction to be executed.
According to another aspect of the present invention, there is provided a linux illegal operation monitoring device, including:
the log acquisition module is used for acquiring a fort command execution log of the Linux server;
the log analysis module is used for analyzing the command execution log of the fort machine and determining the current input instruction and the current target instruction to be executed;
and the Linux illegal operation alarm data generation module is used for generating Linux illegal operation alarm data when the current input instruction is not matched with the current target instruction to be executed.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the linux violation operation monitoring method according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the linux violation operation monitoring method according to any of the embodiments of the present invention when executed.
According to the technical scheme, the fort command execution log of the Linux server is acquired, so that the fort command execution log is analyzed, the current input instruction and the current target instruction to be executed are determined, and then Linux illegal operation alarm data are generated when the current input instruction and the current target instruction to be executed are determined to be unmatched. In the scheme, whether the command actually needed to be executed is consistent with the command input by the command line or not can be judged by confirming the matching condition of the current input command and the current target command to be executed, and when the command input by the command line and the command input by the command line are inconsistent, the command bypass behavior can be accurately determined, and further, operation and maintenance personnel are timely notified through Linux illegal operation alarm data, so that the problem that the unrecognized command cannot be identified when the Linux server is executed due to imperfect bastion checking mechanism is solved, the restriction of imperfect bastion checking mechanism can be avoided, the command bypassing the checking mechanism can be accurately identified, the effective monitoring of illegal operation is realized, and the safety of command execution on the bastion server is ensured.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a linux violation operation monitoring method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a linux violation operation monitoring method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a linux violation operation monitoring device according to a third embodiment of the present invention;
fig. 4 shows a schematic diagram of the structure of an electronic device that may be used to implement an embodiment of the invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It is noted that the terms "comprising" and "having," and any variations thereof, in the description and claims of the present invention and in the foregoing figures, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a linux illegal operation monitoring method according to a first embodiment of the present invention, where the method may be performed by a linux illegal operation monitoring device, and the linux illegal operation monitoring device may be implemented in a form of hardware and/or software, and the linux illegal operation monitoring device may be configured in an electronic device. As shown in fig. 1, the method includes:
step 110, collecting a fort command execution log of the Linux server.
The bastion command execution log may be a log in which commands executed by the bastion are recorded.
In the embodiment of the invention, the linux server needing the safe operation and maintenance can be determined first, so that the bastion machine for performing terminal management and command audit on the linux server needing the safe operation and maintenance is determined, and further, command execution logs of the bastion machine are collected in the determined bastion machine.
Step 120, analyzing the command execution log of the fort machine, and determining the current input command and the current target command to be executed.
The current input instruction may be an instruction that is parsed from the current command execution log of the bastion machine, and is input by the user in the command line. The current target instruction to be executed can be an instruction which is analyzed from the current fort command execution log and needs to be finally executed on the linux server.
In the embodiment of the invention, the current fort command execution log can be analyzed based on any known log analysis mode to obtain the current input instruction and the current target instruction to be executed.
Alternatively, the current bastion command execution log may be parsed based on a search mode, a dictionary lookup mode, a machine learning model, and the like.
And 130, generating Linux illegal operation alarm data when the current input instruction is not matched with the current target instruction to be executed.
The Linux illegal operation alarm can be used for representing the risk of executing an unverified instruction of the Linux server.
In the embodiment of the invention, because of the imperfect checking mechanism of the fort machine, the instruction finally executed in the Linux can bypass double checking to be directly executed, and when the fact that the current input instruction is not matched with the current target instruction to be executed is determined, the fact that the instruction actually required to be executed is inconsistent with the instruction input by a command line can be judged, the command bypass behavior exists, and Linux illegal operation alarm data are generated at the moment so as to remind an operation and maintenance personnel to timely carry out safety maintenance and finish the execution of the current target instruction to be executed in the Linux server.
For example, assuming that a system administrator creates a Linux system variable of "a=rm" or "b= 'rm-f'", if the fort machine sets the rm command to be a sensitive command for rechecking, but a does not belong to the command, a double rechecking mechanism of the fort machine is bypassed, and the rm instruction is finally executed, so that the double rechecking mechanism is disabled. According to the scheme, through real-time evaluation of the matching property of the current input instruction and the current target instruction to be executed, possible user behaviors bypassing double rechecks are identified, and the accuracy of safety monitoring is enhanced.
According to the technical scheme, the fort command execution log of the Linux server is acquired, so that the fort command execution log is analyzed, the current input instruction and the current target instruction to be executed are determined, and then Linux illegal operation alarm data are generated when the current input instruction and the current target instruction to be executed are determined to be unmatched. In the scheme, whether the command actually needed to be executed is consistent with the command input by the command line or not can be judged by confirming the matching condition of the current input command and the current target command to be executed, and when the command input by the command line and the command input by the command line are inconsistent, the command bypass behavior can be accurately determined, and further, operation and maintenance personnel are timely notified through Linux illegal operation alarm data, so that the problem that the unrecognized command cannot be identified when the Linux server is executed due to imperfect bastion checking mechanism is solved, the restriction of imperfect bastion checking mechanism can be avoided, the command bypassing the checking mechanism can be accurately identified, the effective monitoring of illegal operation is realized, and the safety of command execution on the bastion server is ensured.
Example two
Fig. 2 is a flowchart of a linux violation operation monitoring method according to a second embodiment of the present invention, where the present embodiment is implemented based on the foregoing embodiment, and provides specific alternative implementations of analyzing a command execution log of a fort, determining a current input instruction and a current target instruction to be executed, and determining the current input instruction and the current target instruction to be executed. As shown in fig. 2, the method includes:
step 210, collecting a fort command execution log of the Linux server.
Step 220, based on a preset regular expression and/or a preset keyword, searching a fort command execution log, and determining a current input instruction and a current target instruction to be executed.
The preset regular expression may be a preset regular expression, which is used for performing data retrieval processing on the command execution log of the fort machine. The preset keywords may be preset keywords associated with instruction execution of the linux server, which are recorded in the command execution log of the search fort.
In the embodiment of the invention, the preset regular expression and/or the preset keyword determined based on the known history bypass instruction or the known high-risk instruction can be obtained, and then the data in the command execution log of the fort machine is searched according to the preset regular expression and/or the preset keyword, so that the current input instruction and the current target instruction to be executed are obtained.
In an optional embodiment of the present invention, before retrieving the fort command execution log based on the preset regular expression, the method may further include: determining a custom instruction name variable and a sensitive instruction variable; and assigning the sensitive instruction variable to the regular expression of the custom instruction name variable as a preset regular expression.
The custom instruction name variable may be an instruction name customized by a user in a command line. The sensitive instruction variable may be used to characterize the name of the high-risk instruction executing in the linux server.
In the embodiment of the invention, the user-defined instruction name variable conforming to the naming habit of the user instruction name and the sensitive instruction variable determined according to the known history bypass instruction or the known high-risk instruction can be determined, so that the sensitive instruction variable is assigned to the regular expression of the user-defined instruction name variable to be used as the regular expression.
In an alternative embodiment of the present invention, before retrieving the fort command execution log based on the preset keyword, the method may further include: and changing command keywords or response protocol keywords by the instruction names to serve as preset keywords.
The command name change command keyword may be a command keyword for setting a command alias. The reply protocol key may be a key that makes command calls using the reply protocol.
In the embodiment of the invention, the command name change command keyword can be determined according to the command set by the command alias, and the response protocol keyword can be determined according to the response protocol, so that the command name change command keyword or the response protocol keyword is used as a preset keyword.
Illustratively, for changes declared by alias, the instruction name change command keyword is alias, and the retrieval is directly performed according to the alias keyword. In addition, there is an echo (reply protocol) in which search is performed by a reply protocol keyword such as command: echo\rm|sh OR command: \v.
Step 230, matching the current input instruction with the current target instruction to be executed based on the preset regular expression and/or the preset keyword.
In the embodiment of the invention, the current input instruction and the current target instruction to be executed can be matched based on the preset regular expression, or the current input instruction and the current target instruction to be executed can be matched based on the preset keyword, or the current input instruction and the current target instruction to be executed can be matched based on the preset regular expression and the preset keyword, and at the moment, the preset regular expression and the preset keyword can be mutually supplemented, so that errors in the matching of the current input instruction and the current target instruction to be executed are avoided.
And 240, generating Linux illegal operation alarm data when the current input instruction is not matched with the current target instruction to be executed.
In an alternative embodiment of the present invention, determining that the current input instruction does not match the current target instruction to be executed may include: if the current input instruction and the current target instruction to be executed accord with the preset regular expression, determining that the current input instruction and the current target instruction to be executed are not matched.
In the embodiment of the invention, the current input instruction accords with the naming rule of the custom instruction name variable, and the current target instruction to be executed comprises the sensitive instruction variable, and then the current input instruction and the current target instruction to be executed are determined to accord with the preset regular expression, and at the moment, the fact that the current input instruction and the current target instruction to be executed are not matched can be judged.
Illustratively, assume that the preset regular expression is "command: and if the regular search finds that the input instruction is a=rm OR a= 'rm', according to the preset regular expression, the current input instruction and the current target instruction to be executed can be judged to be not matched.
In an alternative embodiment of the present invention, determining that the current input instruction does not match the current target instruction to be executed may include: if the command keyword is changed based on the instruction name or the response protocol keyword is searched, the current input instruction is different from the current target instruction to be executed, and the current input instruction is not matched with the current target instruction to be executed.
In the embodiment of the invention, command keywords are changed based on the command names or response protocol keywords, the current input command and the current target command to be executed are retrieved, and if the current input command is different from the current target command to be executed, the current input command is determined to be not matched with the current target command to be executed.
In a specific example, if echo\rm is detected and invoked by sh or flash based on the retrieval of the response protocol keyword, it may be determined that the current input instruction is different from the current target instruction to be executed, that is, the current input instruction is not matched with the current target instruction to be executed, and a double check mechanism bypass behavior exists.
In an alternative embodiment of the present invention, after collecting the fort command execution log of the Linux server, the method may further include: storing the command execution log of the fort machine to a big data analysis platform; after generating the Linux violation operation alarm data, the method may further include: transmitting Linux violation operation alarm data to an auditor alarm terminal, and analyzing and counting a fort command execution log matched with the Linux violation operation alarm data through a big data analysis platform.
The big data analysis platform can provide data development, analysis and application platform support, and is equivalent to a user entity behavior analysis platform. The auditor alarm terminal can be a communication terminal of the auditor and is used for receiving and displaying Linux illegal operation alarm data.
In the embodiment of the invention, after the fort command execution log of the Linux server is acquired, the fort command execution log can be stored in the big data analysis platform, so that the detection of search query, analysis statistics and illegal operation audit on the fort command execution log is realized through the big data analysis platform. After the Linux violation operation alarm data is generated, the Linux violation operation alarm data can be transmitted to an auditor alarm terminal, and analysis and statistics are carried out on the command execution log of the bastion machine matched with the Linux violation operation alarm data through a big data analysis platform.
Compliance personnel (auditors) are illustratively notified by alarms, messages, mail, etc. to achieve a fast risk handling and response mechanism. When the fort records a high risk command or discovers a command bypass behavior, an alarm mechanism can be automatically triggered, and a notification, namely Linux illegal operation alarm data, is sent to a specified compliance person. The notification modes are various, so that information can be timely transmitted to related personnel. After the compliance personnel receives the notification, corresponding measures can be immediately taken to treat the risk event. Such as further investigation, review of logs, taking deterrent measures, notifying relevant users, or taking other necessary countermeasures to mitigate potential risk effects.
In the scheme, the collected fort command execution log is stored in the big data analysis platform, so that follow-up search query, analysis statistics and detection of illegal operation audit are facilitated, traceability, analysis and audit capability of fort commands can be improved, comprehensive monitoring of all commands and double rechecking bypass analysis are realized, an enterprise compliance department can be helped to timely find user behaviors bypassing the fort, effective management and treatment are performed, and alarm information of abnormal behaviors is timely transmitted to the enterprise compliance department or a safety team, so that potential safety risks are avoided. The monitoring method is applied to actual products, different use situations and attack situations are considered, continuous monitoring and evaluation are carried out on the actual products, a plurality of high-risk commands and command bypass events are successfully detected and processed in the actual use, enterprises are effectively helped to find illegal operators, operation objects and operation time in time, and reliable protection and protection measures are provided for system safety and compliance.
According to the technical scheme, the fort command execution log of the Linux server is collected, so that the fort command execution log is searched based on a preset regular expression and/or a preset keyword, a current input instruction and a current target instruction to be executed are determined, the current input instruction is matched with the current target instruction to be executed based on the preset regular expression and/or the preset keyword, and Linux illegal operation alarm data are generated when the fact that the current input instruction is not matched with the current target instruction to be executed is determined. In the scheme, whether the command actually needed to be executed is consistent with the command input by the command line or not can be judged by confirming the matching condition of the current input command and the current target command to be executed, and when the command input by the command line and the command input by the command line are inconsistent, the command bypass behavior can be accurately determined, and further, operation and maintenance personnel are timely notified through Linux illegal operation alarm data, so that the problem that the unrecognized command cannot be identified when the Linux server is executed due to imperfect bastion checking mechanism is solved, the restriction of imperfect bastion checking mechanism can be avoided, the command bypassing the checking mechanism can be accurately identified, the effective monitoring of illegal operation is realized, and the safety of command execution on the bastion server is ensured.
Example III
Fig. 3 is a schematic structural diagram of a linux violation operation monitoring device according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes:
the log collection module 310 is configured to collect a fort command execution log of the Linux server;
the log parsing module 320 is configured to parse the command execution log of the fort machine, and determine a current input instruction and a current target instruction to be executed;
and the Linux illegal operation alarm data generating module 330 is configured to generate Linux illegal operation alarm data when the current input instruction is determined not to match the current target instruction to be executed.
According to the technical scheme, the fort command execution log of the Linux server is acquired, so that the fort command execution log is analyzed, the current input instruction and the current target instruction to be executed are determined, and then Linux illegal operation alarm data are generated when the current input instruction and the current target instruction to be executed are determined to be unmatched. In the scheme, whether the command actually needed to be executed is consistent with the command input by the command line or not can be judged by confirming the matching condition of the current input command and the current target command to be executed, and when the command input by the command line and the command input by the command line are inconsistent, the command bypass behavior can be accurately determined, and further, operation and maintenance personnel are timely notified through Linux illegal operation alarm data, so that the problem that the unrecognized command cannot be identified when the Linux server is executed due to imperfect bastion checking mechanism is solved, the restriction of imperfect bastion checking mechanism can be avoided, the command bypassing the checking mechanism can be accurately identified, the effective monitoring of illegal operation is realized, and the safety of command execution on the bastion server is ensured.
Optionally, the log parsing module 320 is configured to retrieve the command execution log of the fort based on a preset regular expression and/or a preset keyword, and determine the current input instruction and the current target instruction to be executed.
Optionally, the linux violation operation monitoring device further includes an instruction matching module, configured to match the current input instruction with the current target instruction to be executed based on a preset regular expression and/or a preset keyword.
Optionally, the linux illegal operation monitoring device further comprises a preset regular expression determining module, which is used for determining a custom instruction name variable and a sensitive instruction variable; and assigning the sensitive instruction variable to a regular expression of the custom instruction name variable as the preset regular expression.
Optionally, the linux illegal operation monitoring device further includes a preset keyword determining module, configured to change the instruction name by using the command keyword or the response protocol keyword as the preset keyword.
Optionally, the Linux violation operation alarm data generating module 330 is configured to determine that the current input instruction is not matched with the current target instruction to be executed if the current input instruction and the current target instruction to be executed conform to the preset regular expression.
Optionally, the Linux illegal operation alarm data generating module 330 is configured to determine that the current input instruction is not matched with the current target instruction to be executed if the command keyword is changed based on the instruction name or the response protocol keyword is retrieved, where the current input instruction is different from the current target instruction to be executed.
Optionally, the linux violation operation monitoring device further includes a data storage module, configured to store the fort command execution log to a big data analysis platform.
Optionally, the Linux violation operation monitoring device further comprises a data transmission and analysis module, which is used for transmitting the Linux violation operation alarm data to an auditor alarm terminal, and analyzing and counting the command execution log of the fort machine matched with the Linux violation operation alarm data through the big data analysis platform.
The linux illegal operation monitoring device provided by the embodiment of the invention can execute the linux illegal operation monitoring method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 shows a schematic diagram of the structure of an electronic device that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the linux violation operation monitoring method.
In some embodiments, the linux violation operation monitoring method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into the RAM 13 and executed by the processor 11, one or more steps of the linux violation operation monitoring method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the linux violation operation monitoring method by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. The linux illegal operation monitoring method is characterized by comprising the following steps of:
collecting a fort command execution log of a Linux server;
analyzing the command execution log of the fort machine, and determining a current input command and a current target command to be executed;
and generating Linux illegal operation alarm data when the current input instruction is not matched with the current target instruction to be executed.
2. The method of claim 1, wherein parsing the bastion command execution log to determine a current input instruction and a current target instruction to be executed comprises:
searching the command execution log of the fort based on a preset regular expression and/or a preset keyword, and determining the current input command and the current target command to be executed;
after determining the current input instruction and the current target instruction to be executed, the method further comprises:
and matching the current input instruction with the current target instruction to be executed based on a preset regular expression and/or a preset keyword.
3. The method of claim 2, further comprising, prior to retrieving the bastion command execution log based on a preset regular expression:
determining a custom instruction name variable and a sensitive instruction variable;
and assigning the sensitive instruction variable to a regular expression of the custom instruction name variable as the preset regular expression.
4. The method of claim 2, further comprising, prior to retrieving the bastion command execution log based on a preset keyword:
and changing command keywords or response protocol keywords by the instruction names as the preset keywords.
5. A method according to claim 3, wherein determining that the current input instruction does not match a current target instruction to be executed comprises:
and if the current input instruction and the current target instruction to be executed accord with the preset regular expression, determining that the current input instruction and the current target instruction to be executed are not matched.
6. The method of claim 4, wherein the determining that the current input instruction does not match a current target instruction to be executed comprises:
and if the command keyword is changed based on the instruction name or the response protocol keyword is searched, determining that the current input instruction is not matched with the current target instruction to be executed if the current input instruction is different from the current target instruction to be executed.
7. The method of claim 1, further comprising, after collecting the fort command execution log of the Linux server:
storing the command execution log of the fort machine to a big data analysis platform;
after generating the Linux violation operation alarm data, the method further comprises the following steps:
transmitting the Linux violation operation alarm data to an auditor alarm terminal, and analyzing and counting the fort command execution log matched with the Linux violation operation alarm data through the big data analysis platform.
8. A linux violation operation monitoring device, comprising:
the log acquisition module is used for acquiring a fort command execution log of the Linux server;
the log analysis module is used for analyzing the command execution log of the fort machine and determining a current input instruction and a current target instruction to be executed;
and the Linux illegal operation alarm data generation module is used for generating Linux illegal operation alarm data when the current input instruction is not matched with the current target instruction to be executed.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the linux violation operation monitoring method of any of claims 1-7.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores computer instructions for causing a processor to implement the linux violation operation monitoring method of any of claims 1-7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311287216.6A CN117319044A (en) | 2023-10-07 | 2023-10-07 | Method, device, equipment and medium for monitoring linux illegal operation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311287216.6A CN117319044A (en) | 2023-10-07 | 2023-10-07 | Method, device, equipment and medium for monitoring linux illegal operation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117319044A true CN117319044A (en) | 2023-12-29 |
Family
ID=89245927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311287216.6A Pending CN117319044A (en) | 2023-10-07 | 2023-10-07 | Method, device, equipment and medium for monitoring linux illegal operation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117319044A (en) |
-
2023
- 2023-10-07 CN CN202311287216.6A patent/CN117319044A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11012472B2 (en) | Security rule generation based on cognitive and industry analysis | |
| CN105556526B (en) | Non-transitory machine readable media, the system and method that layering threatens intelligence are provided | |
| JP7373611B2 (en) | Log auditing methods, equipment, electronic equipment, media and computer programs | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| CN108460278A (en) | A kind of threat information processing method and device | |
| CN109842628A (en) | A kind of anomaly detection method and device | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| CN112636957B (en) | Early warning method and device based on log, server and storage medium | |
| US11128655B2 (en) | Method and system for managing security vulnerability in host system using artificial neural network | |
| CN106534146A (en) | Safety monitoring system and method | |
| CN113542227A (en) | Account security protection method and device, electronic device and storage medium | |
| CN111756745B (en) | Alarm method, alarm device, terminal equipment and computer readable storage medium | |
| CN108337269A (en) | A kind of WebShell detection methods | |
| CN109684863B (en) | Data leakage prevention method, device, equipment and storage medium | |
| CN114050937B (en) | Mailbox service unavailability processing method and device, electronic equipment and storage medium | |
| CN108234431A (en) | A kind of backstage logs in behavioral value method and detection service device | |
| CN116827697B (en) | Push method of network attack event, electronic equipment and storage medium | |
| CN117609992A (en) | Data disclosure detection method, device and storage medium | |
| CN115361182B (en) | Botnet behavior analysis method, device, electronic equipment and medium | |
| CN116668054A (en) | Security event collaborative monitoring and early warning method, system, equipment and medium | |
| CN117319044A (en) | Method, device, equipment and medium for monitoring linux illegal operation | |
| CN116015925A (en) | Data transmission method, device, equipment and medium | |
| CN115277472A (en) | Network security risk early warning system and method for multidimensional industrial control system | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN114238069A (en) | Web application firewall testing method and device, electronic equipment, medium and product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |