CN117675414A - Command auditing method, system and storage medium - Google Patents
Command auditing method, system and storage medium Download PDFInfo
- Publication number
- CN117675414A CN117675414A CN202410130209.3A CN202410130209A CN117675414A CN 117675414 A CN117675414 A CN 117675414A CN 202410130209 A CN202410130209 A CN 202410130209A CN 117675414 A CN117675414 A CN 117675414A
- Authority
- CN
- China
- Prior art keywords
- ssh
- auditing
- server
- information
- command
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 87
- 238000012550 audit Methods 0.000 claims abstract description 166
- 238000011217 control strategy Methods 0.000 claims abstract description 69
- 238000012545 processing Methods 0.000 claims abstract description 12
- 230000008569 process Effects 0.000 claims description 23
- 230000002159 abnormal effect Effects 0.000 abstract description 9
- 238000007726 management method Methods 0.000 description 18
- 230000000694 effects Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 12
- 230000006399 behavior Effects 0.000 description 9
- 238000013475 authorization Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 238000012546 transfer Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000008520 organization Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a command auditing method, a system and a storage medium, wherein the command auditing method comprises the following steps: when an operation command is received, corresponding to-be-checked information is obtained, wherein the operation command is sent to an SSH server by an SSH client; transmitting information to be audited to an SSH audit server so that the SSH audit server receives the information to be audited, auditing the information to be audited based on a preset wind control strategy to obtain an audit result, and transmitting the audit result to the SSH server; receiving an audit result; and processing the operation command according to the auditing result. Based on the scheme, even if the user of the SSH client side lifts the authority through an abnormal way, the safety risk is not generated, and the safety of the SSH server executing the operation instruction is effectively improved.
Description
Technical Field
The present application relates to the field of computer network security technologies, and in particular, to a command auditing method, system, and storage medium.
Background
SSH (Secure Shell protocol) is a protocol for Secure telnet and other Secure network services over an unsecure network, and by using the SSH protocol, information leakage problems during remote management can be effectively prevented.
Under a general application scene, the SSH client can send an operation instruction to the SSH server, and the SSH server can select to execute or not execute the corresponding operation instruction under the user authority of the SSH client, so that illegal user behaviors can be avoided to a certain extent. However, if the user of the SSH client lifts the authority through an abnormal path, the SSH server may execute an operation instruction that does not belong to the authority of the user, which creates a security risk.
Disclosure of Invention
The main purpose of the application is to provide a command auditing method, a system and a storage medium, which aim to solve the problem that an SSH server executes an operation instruction which does not belong to the user authority and generates safety risk.
To achieve the above object, the present application provides a command auditing method, which is applied to an SSH server, the method including:
when an operation command is received, corresponding to-be-checked information is obtained, wherein the operation command is sent to the SSH server by an SSH client;
the information to be audited is sent to an SSH audit server, so that the SSH audit server receives the information to be audited, the information to be audited is audited based on a preset wind control strategy, an audit result is obtained, and the audit result is sent to the SSH server;
Receiving the auditing result;
and processing the operation command according to the auditing result.
Optionally, the step of obtaining the corresponding to-be-examined information includes:
and acquiring the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client and the login account of the SSH client.
Optionally, before the step of acquiring the corresponding to-be-examined information when the operation command is received, the method further includes:
and modifying the configuration file of the SSH server so that an SSH service program of the SSH server is configured to execute the steps of acquiring corresponding to-be-checked information and later when an operation command is received.
Optionally, the step of processing the operation command according to the audit result includes:
executing the operation command under the condition that the auditing result is permission to execute;
and discarding the operation command under the condition that the audit result is refusal to execute.
The embodiment of the application also provides a command auditing method, which is characterized by being applied to the SSH auditing server and comprising the following steps:
receiving to-be-checked information corresponding to an operation command, wherein the to-be-checked information is acquired by an SSH server when the operation command is received and sent to the SSH audit server, and the operation command is sent to the SSH server by an SSH client;
Auditing the information to be audited based on a preset wind control strategy to obtain an auditing result;
and sending the auditing result to the SSH server so that the SSH server can receive the auditing result and process the operation command according to the auditing result.
Optionally, the step of auditing the information to be audited based on a preset wind control strategy to obtain an audit result includes:
loading at least one preset wind control strategy;
matching the information to be checked with the wind control rules contained in the at least one wind control strategy to obtain rule matching results corresponding to the at least one wind control strategy;
and determining the auditing result according to the rule matching result corresponding to each of the at least one wind control strategy.
Optionally, the step of determining the audit result according to the rule matching result corresponding to each of the at least one wind control policy includes:
determining the wind control strategy of the information to be examined according with all the corresponding wind control rules as a target wind control strategy;
determining that the corresponding audit result is allowed to be executed according to the target wind control strategy; or determining that the corresponding audit result is refused to be executed according to the target wind control strategy.
Optionally, the audit information includes the operation command, an operation time corresponding to the operation command, IP address information of the SSH client, port information of the SSH client, and a login account of the SSH client, and the step of matching the to-be-audited information with the wind control rules included in the at least one wind control policy to obtain rule matching results corresponding to the at least one wind control policy includes:
and matching the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client, the login account of the SSH client and the wind control rules respectively contained in the at least one wind control strategy to obtain rule matching results respectively corresponding to the at least one wind control strategy.
The embodiment of the application also provides a command auditing system, which comprises a memory, a processor and a command auditing program stored on the memory and capable of running on the processor, wherein the command auditing program realizes the steps of the command auditing method when being executed by the processor.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium is stored with a command auditing program, and the command auditing program realizes the steps of the command auditing method when being executed by a processor.
According to the command auditing method, the command auditing system and the storage medium, when an operation command is received, corresponding information to be audited is obtained, wherein the operation command is sent to the SSH server by an SSH client; the information to be audited is sent to an SSH audit server, so that the SSH audit server receives the information to be audited, the information to be audited is audited based on a preset wind control strategy, an audit result is obtained, and the audit result is sent to the SSH server; receiving the auditing result; and processing the operation command according to the auditing result. Based on the scheme, when the SSH server receives the operation command from the SSH client, the operation command is not directly executed, but the information to be audited corresponding to the operation command is acquired and sent to the SSH audit server, the SSH audit server completes the audit of the information to be audited, a corresponding audit result is obtained, and the audit result is fed back to the SSH server. The auditing result represents whether the operation command has safety risk or not, and the SSH server can process the operation command according to the auditing result. Even if the user of the SSH client side lifts the authority through an abnormal way, the safety risk is avoided, and the safety of the SSH server executing the operation instruction is effectively improved.
Drawings
FIG. 1 is a flow chart of a first exemplary embodiment of a command auditing method of the present application;
FIG. 2 is a flow chart of a second exemplary embodiment of a command auditing method of the present application;
FIG. 3 is a flow chart illustrating a third exemplary embodiment of a command auditing method of the present application;
FIG. 4 is a flow chart of a fourth exemplary embodiment of a command auditing method of the present application;
FIG. 5 is a flow chart of a fifth exemplary embodiment of a command auditing method of the present application;
FIG. 6 is a flowchart of a sixth exemplary embodiment of a command auditing method of the present application;
FIG. 7 is a flow chart of a seventh exemplary embodiment of a command auditing method of the present application;
fig. 8 is a flowchart illustrating an eighth exemplary embodiment of a command auditing method according to the present application.
The realization, functional characteristics and advantages of the present application will be further described with reference to the embodiments, referring to the attached drawings.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The main solutions of the embodiments of the present application are: when an operation command is received, corresponding to-be-checked information is obtained, wherein the operation command is sent to the SSH server by an SSH client; the information to be audited is sent to an SSH audit server, so that the SSH audit server receives the information to be audited, the information to be audited is audited based on a preset wind control strategy, an audit result is obtained, and the audit result is sent to the SSH server; receiving the auditing result; and processing the operation command according to the auditing result. Based on the scheme, when the SSH server receives the operation command from the SSH client, the operation command is not directly executed, but the information to be audited corresponding to the operation command is acquired and sent to the SSH audit server, the SSH audit server completes the audit of the information to be audited, a corresponding audit result is obtained, and the audit result is fed back to the SSH server. The auditing result represents whether the operation command has safety risk or not, and the SSH server can process the operation command according to the auditing result. Even if the user of the SSH client side lifts the authority through an abnormal way, the safety risk is avoided, and the safety of the SSH server executing the operation instruction is effectively improved.
Referring to fig. 1, a first embodiment of a command auditing method according to the present application provides a schematic flow diagram, where the method is applied to an SSH server, and the method includes:
and step A10, when an operation command is received, acquiring corresponding to-be-examined information, wherein the operation command is sent to the SSH server by an SSH client.
Specifically, SSH (Secure Shell protocol) is a protocol for Secure telnet and other Secure network services over an unsecure network, and by using the SSH protocol, information leakage problems during remote management can be effectively prevented.
Under a general application scene, the SSH client can send an operation instruction to the SSH server, and the SSH server can select to execute or not execute the corresponding operation instruction under the user authority of the SSH client, so that illegal user behaviors can be avoided to a certain extent. However, if the user of the SSH client lifts the authority through an abnormal path, the SSH server may execute an operation instruction that does not belong to the authority of the user, which creates a security risk.
Aiming at the problems, the application provides a command auditing method capable of effectively improving the safety. First, the present implementation relates to an SSH client, an SSH server, and an SSH audit server, and the definition and functions thereof are as follows:
(1) SSH Client (SSH Client):
definition: an SSH client is software running on a computer or device connected to an SSH server. It allows the user to remotely log into the SSH server by encryption and execute commands or transfer files.
The functions are as follows: the SSH client is responsible for sending connection requests to the SSH server, verifying the user's identity, and executing user-specified commands.
(2) SSH Server (SSH Server):
definition: an SSH server is a computer or device running an SSH service. It listens for connection requests from SSH clients and allows or denies remote access depending on credentials provided by the user. The SSH server manages user authentication and authorization.
The functions are as follows: the SSH server provides a secure communication channel through which a user can execute commands, access files, and all communications are encrypted on a remote system.
(3) SSH audit server (SSH Auditing Server):
definition: the SSH audit server is a server for monitoring and logging SSH connections and operations. The method collects audit information from the SSH server, analyzes and records the information, generates audit reports when required, and stores and retrieves the audit records.
The functions are as follows: SSH audit servers are used to track user activity, detect potential security threats, and ensure compliance with an organization or system's security policies. It may record user login, commands to execute, and other related operational information.
The relationship among the SSH client, the SSH server and the SSH audit server is as follows: the SSH client establishes encrypted connection with the SSH server through an SSH protocol, and performs remote login and command execution. The SSH server is responsible for processing the connection request of the SSH client, verifying the identity of the user and controlling the access authority of the user according to the authorization. The SSH audit server provides audit functions for operations occurring in the system by listening and logging the activities of the SSH server. It helps monitor and maintain the security of the system through audit information.
Thus, in a complete command audit flow, an operation command is first sent by the SSH client to the SSH server. The SSH server may support a variety of functions including Mysql database, big data object, application container class (e.g., tomcat), etc., so the above operation command may be a database operation, e.g., connect to Mysql database, perform SQL query or modify operation; the method can be a big data object operation, for example, an HDFS is operated by using a Hadoop command, and an HBase database is operated by using an HBase Shell; may be an application container class operation, such as starting or stopping a Tomcat service, changing directory rights, performing sensitive operations; user rights management may be, for example, rights management for SSH users and rights management for database users; may be a rights management operation, such as ABAC (attribute-based access control) for the user, RBAC (role-based access control) for the user; may be sensitive operations such as performing operations that may affect system stability.
Notably, the operation commands are sent over a secure channel established between the SSH client and the SSH server, also referred to as an SSH session. When an SSH client inputs an operation command, the operation command is transmitted to the SSH server through an already established secure channel.
Accordingly, the SSH server receives the operation command sent to the SSH client. When an operation command is received, the SSH server acquires the information to be checked corresponding to the operation command. The to-be-checked information is key details extracted by the SSH server when the SSH server receives an operation command, and comprises the operation command, the operation time, the IP address of the SSH client, port information, a login account and the like, and the to-be-checked information is used for checking and recording activities of the SSH client on the SSH server.
And step A20, sending the information to be audited to an SSH audit server, so that the SSH audit server receives the information to be audited, audits the information to be audited based on a preset wind control strategy, obtains an audit result, and sends the audit result to the SSH server.
Specifically, the SSH server of the present embodiment is configured not to directly execute the operation command after receiving the operation command, but to send the information to be audited to the SSH audit server, and the SSH audit server performs the related audit processing.
The wind control strategy of the SSH audit server is preset, and the number of the wind control strategies can be one or more. The wind control strategy comprises corresponding wind control rules and actions triggered and executed when the wind control rules are met. The process of auditing the information to be audited by the SSH audit server based on the wind control strategy is actually a process of matching the information to be audited with the wind control rules under the wind control strategy and obtaining an audit result according to the rule matching result.
For example, the SSH audit server is provided with a wind control policy 1, a wind control policy 2 and a wind control policy 3, and the rule matching result indicates that the information to be audited accords with all wind control rules in the wind control policy 3, so that the wind control policy 3 can be determined as a target wind control policy. If the air control strategy 3 is defined as meeting all air control rules and triggering execution of the operation command, the audit result can be determined as 'allowed execution'; if the air control policy 3 is defined to trigger a discard operation command if all air control rules are met, then the audit result may be determined to be "refused to execute". Further, the SSH audit server may feed back (send) the audit result to the SSH server.
In one possible implementation, the above-mentioned wind control policies may be stored in a wind control module of the SSH audit server, and the wind control module performs the relevant steps of rule matching and determining the audit result.
And step A30, receiving the auditing result.
Specifically, the SSH server receives an audit result fed back by the SSH audit server, so that corresponding measures can be taken subsequently according to the content of the audit result, and the safety and compliance of the system are ensured.
And step A40, processing the operation command according to the auditing result.
Specifically, only one audit result corresponding to one operation command can be provided, that is, the audit result may be allowed to be executed or refused to be executed. The audit results characterize a decision on the operational order, indicating whether the SSH server is permitted to execute the corresponding operational order.
Under the condition that the auditing result is that the execution is allowed, the SSH server executes the operation command; and under the condition that the auditing result is refusal to execute, the SSH server discards the operation command.
In this embodiment, when receiving an operation command from an SSH client, the SSH server does not directly execute the operation command, but obtains and sends information to be audited corresponding to the operation command to the SSH audit server, the SSH audit server completes audit of the information to be audited, obtains a corresponding audit result, and feeds the audit result back to the SSH server. The auditing result represents whether the operation command has safety risk or not, and the SSH server can process the operation command according to the auditing result. Even if the user of the SSH client side lifts the authority through an abnormal way, the safety risk is avoided, and the safety of the SSH server executing the operation instruction is effectively improved.
Further, referring to fig. 2, a flow chart is provided in a second embodiment of the command auditing method of the present application, based on the embodiment shown in fig. 1, the step of further refining "obtaining corresponding to-be-audited information" in step a10 includes:
and step A11, acquiring the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client and the login account of the SSH client.
Specifically, the information to be checked includes five items of information, namely an operation command, operation time corresponding to the operation command, IP address information of the SSH client, port information of the SSH client and login account number of the SSH client, and the specific acquisition process is as follows:
(1) Acquiring an operation command: the operation command is sent by the SSH client, and the SSH server directly acquires the operation command. The operation commands may be various commands such as file operations (e.g., ls, cp), system management (e.g., sudo commands), database queries, etc.
(2) Acquiring operation time corresponding to the operation command: the time stamp of the user executing the operation is obtained, namely, the time when the user inputs the operation command at the SSH client. This is to record the time of the operation for subsequent auditing and logging.
(3) Acquiring IP address information of an SSH client: an IP address of a client connected to the SSH server is identified. This helps determine the source of the operation, providing network location information about the user.
(4) Acquiring port information of an SSH client: the port number used by the SSH client connected to the SSH server is obtained. This helps to identify and distinguish between different SSH connections.
(5) Obtaining a login account number of an SSH client: the user account initiating the operation, i.e. the user logged into the SSH client, is identified. This is key information for auditing, for tracking and recording each user's activities.
In some possible implementations, several items may be selected from the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client, and the login account of the SSH client as the to-be-checked information; other information can be added as the information to be checked on the basis of the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client and the login account of the SSH client.
In the embodiment, by acquiring the operation command, the operation time and the information waiting audit information of the SSH client, the comprehensive monitoring remote operation is realized, and the fine audit of the user behavior is ensured. The method is beneficial to timely detecting potential threats, enhancing the control over remote access, avoiding sensitive operation and maintaining the safety and stability of the system.
Further, referring to fig. 3, a flow chart is provided in a third embodiment of the command auditing method of the present application, based on the embodiment shown in fig. 1, step a10, before obtaining the corresponding to-be-audited information when receiving the operation command, further includes:
and step A001, modifying the configuration file of the SSH server so that the SSH service program of the SSH server is configured to execute the steps of acquiring corresponding to-be-examined information and later when an operation command is received.
Specifically, the SSH server is provided with SSH service programs, such as OpenSSH, providing encrypted telnet, file transfer, and command execution, ensuring secure communications, supporting auditing and tunneling, for system management and data transfer.
The SSH server is also provided with a configuration file, such as sshd_config, containing configuration options for the SSH server. Modifying this profile allows the administrator to specify settings such as ports to monitor, authentication methods allowed, users allowed to log in, etc. Modification of the configuration file directly affects the behavior of the SSH service program, as the SSH service program will read this configuration file to configure itself according to the administrator's settings. Thus, by modifying the sshd_config, etc. configuration files, an administrator can customize the behavior of the SSH server, including audit operations, security policies, access controls, etc.
Thus, the main action performed in this embodiment is to modify the configuration file of the SSH server. After modifying the configuration file, it is often necessary to restart the SSH service to validate the new configuration. Under the action of the configuration file, the SSH service program is configured to execute the steps of acquiring the corresponding information to be checked (i.e. step a 10) and thereafter when the operation command is received. Thus, when receiving an operation command from an SSH client, an SSH service program of the SSH server does not directly execute the operation command, but acquires and sends information to be audited corresponding to the operation command to the SSH audit server, and the SSH audit server completes the audit of the information to be audited.
In this embodiment, by modifying the configuration file of the SSH server, when receiving the operation command, the configuration file actively acquires and sends the information to be audited to the SSH audit server, so as to enhance integration of the SSH server and the SSH audit server. The embodiment optimizes the audit flow, prevents potential threats, and improves the safety and management efficiency of the system.
Further, referring to fig. 4, a flowchart is provided in a fourth embodiment of the command auditing method, based on the embodiment shown in fig. 1, the "process the operation command according to the auditing result" in step a40 is further refined, and includes:
Step A41, executing the operation command under the condition that the auditing result is allowed to be executed;
and step A42, discarding the operation command under the condition that the audit result is refusal to execute.
In particular, the method comprises the steps of,
in one case, the SSH server examines the audit results and if the result is "allow execution," it means that the audit server allows the user to execute the corresponding operation command. At this point, the SSH server continues to execute the operation command entered by the user at the SSH client, which includes invoking the corresponding system command or application to complete the operation requested by the user. In addition, the SSH server may record user operations, including commands executed, operation time, etc., in an audit log of the system to audit and monitor system activity.
In another case, the SSH server examines the audit result and if the result is "refusal to execute", it means that the audit server prohibits the user from executing the corresponding operation command. At this time, the SSH server prevents the user from operating, does not execute the command input by the user at the SSH client, and may return an error message corresponding to the rejection of the execution to the user. In addition, events that are denied execution, including commands that are denied execution, time of operation, user information, etc., may be recorded in an audit log of the system to audit and monitor system activity.
Notably, the "discard operation command" refers to an operation command input by the user at the SSH client that the SSH server will not execute if the audit result is "refusal to execute". The specific implementation may vary depending on the design of the system and application. The following are some possible implementations:
(1) Interrupt operation command execution: if the result is that execution is refused, an interrupt signal (such as SIGTERM) is sent to the corresponding process so that execution of the command is interrupted.
(2) Not start new process execution command: if the audit result is refusal to execute, the SSH server may not start a new process to execute the user's operation command, thereby implementing the discarding of the operation command.
(3) Returning an error message: and under the condition that the auditing result is refusal to execute, the SSH server can return a corresponding error message to the SSH client side to indicate that the operation command cannot be executed, so that the user can know that the operation command is refused.
In the embodiment, the operation command is flexibly processed according to the auditing result, and the automatic response capability of the system is improved. Under the condition of permission execution, the legal operation is ensured to take effect quickly, and the working efficiency is improved; under the condition of refusing to execute, the potential risk is quickly prevented, unauthorized access or malicious operation is effectively prevented, and the system security management and control is enhanced.
Referring to fig. 5, a fifth embodiment of a command auditing method according to the present application provides a schematic flow diagram, where the method is applied to an SSH auditing server, and the method includes:
step B10, receiving to-be-checked information corresponding to an operation command, wherein the to-be-checked information is obtained by an SSH server when the operation command is received and is sent to the SSH audit server, and the operation command is sent to the SSH server by an SSH client;
step B20, auditing the information to be audited based on a preset wind control strategy to obtain an auditing result;
and step B30, sending the auditing result to the SSH server so that the SSH server can receive the auditing result and process the operation command according to the auditing result.
Specifically, SSH (Secure Shell protocol) is a protocol for Secure telnet and other Secure network services over an unsecure network, and by using the SSH protocol, information leakage problems during remote management can be effectively prevented.
Under a general application scene, the SSH client can send an operation instruction to the SSH server, and the SSH server can select to execute or not execute the corresponding operation instruction under the user authority of the SSH client, so that illegal user behaviors can be avoided to a certain extent. However, if the user of the SSH client lifts the authority through an abnormal path, the SSH server may execute an operation instruction that does not belong to the authority of the user, which creates a security risk.
Aiming at the problems, the application provides a command auditing method capable of effectively improving the safety. First, the present implementation relates to an SSH client, an SSH server, and an SSH audit server, and the definition and functions thereof are as follows:
(1) SSH Client (SSH Client):
definition: an SSH client is software running on a computer or device connected to an SSH server. It allows the user to remotely log into the SSH server by encryption and execute commands or transfer files.
The functions are as follows: the SSH client is responsible for sending connection requests to the SSH server, verifying the user's identity, and executing user-specified commands.
(2) SSH Server (SSH Server):
definition: an SSH server is a computer or device running an SSH service. It listens for connection requests from SSH clients and allows or denies remote access depending on credentials provided by the user. The SSH server manages user authentication and authorization.
The functions are as follows: the SSH server provides a secure communication channel through which a user can execute commands, access files, and all communications are encrypted on a remote system.
(3) SSH audit server (SSH Auditing Server):
definition: the SSH audit server is a server for monitoring and logging SSH connections and operations. It gathers audit information from the SSH servers, analyzes and records the information, and generates audit reports when needed.
The functions are as follows: SSH audit servers are used to track user activity, detect potential security threats, and ensure compliance with an organization or system's security policies. It may record user login, commands to execute, and other related operational information.
The relationship among the SSH client, the SSH server and the SSH audit server is as follows: the SSH client establishes encrypted connection with the SSH server through an SSH protocol, and performs remote login and command execution. The SSH server is responsible for processing the connection request of the SSH client, verifying the identity of the user and controlling the access authority of the user according to the authorization. The SSH audit server provides audit functions for operations occurring in the system by listening and logging the activities of the SSH server. It helps monitor and maintain the security of the system through audit information.
Thus, in a complete command audit flow, an operation command is first sent by the SSH client to the SSH server. The SSH server may support a variety of functions including Mysql database, big data object, application container class (e.g., tomcat), etc., so the above operation command may be a database operation, e.g., connect to Mysql database, perform SQL query or modify operation; the method can be a big data object operation, for example, an HDFS is operated by using a Hadoop command, and an HBase database is operated by using an HBase Shell; may be an application container class operation, such as starting or stopping a Tomcat service, changing directory rights, performing sensitive operations; user rights management may be, for example, rights management for SSH users and rights management for database users; may be a rights management operation, such as ABAC (attribute-based access control) for the user, RBAC (role-based access control) for the user; may be sensitive operations such as performing operations that may affect system stability.
Notably, the operation commands are sent over a secure channel established between the SSH client and the SSH server, also referred to as an SSH session. When an SSH client inputs an operation command, the operation command is transmitted to the SSH server through an already established secure channel.
Accordingly, the SSH server receives the operation command sent to the SSH client. When an operation command is received, the SSH server acquires the information to be checked corresponding to the operation command. The to-be-checked information is key details extracted by the SSH server when the SSH server receives an operation command, and comprises the operation command, the operation time, the IP address of the SSH client, port information, a login account and the like, and the to-be-checked information is used for checking and recording activities of the SSH client on the SSH server.
The SSH server of the present embodiment is configured not to directly execute the operation command after receiving the operation command, but to send information to be audited to the SSH audit server, and the SSH audit server performs related audit processing.
The wind control strategy of the SSH audit server is preset, and the number of the wind control strategies can be one or more. The wind control strategy comprises corresponding wind control rules and actions triggered and executed when the wind control rules are met. The process of auditing the information to be audited by the SSH audit server based on the wind control strategy is actually a process of matching the information to be audited with the wind control rules under the wind control strategy and obtaining an audit result according to the rule matching result.
For example, the SSH audit server is provided with a wind control policy 1, a wind control policy 2 and a wind control policy 3, and the rule matching result indicates that the information to be audited accords with all wind control rules in the wind control policy 3, so that the wind control policy 3 can be determined as a target wind control policy. If the air control strategy 3 is defined as meeting all air control rules and triggering execution of the operation command, the audit result can be determined as 'allowed execution'; if the air control policy 3 is defined to trigger a discard operation command if all air control rules are met, then the audit result may be determined to be "refused to execute". Further, the SSH audit server may feed back (send) the audit result to the SSH server.
In one possible implementation, the above-mentioned wind control policies may be stored in a wind control module of the SSH audit server, and the wind control module performs the relevant steps of rule matching and determining the audit result.
The SSH server receives the auditing result fed back by the SSH auditing server, so that corresponding measures can be taken subsequently according to the content of the auditing result, and the safety and compliance of the system are ensured.
Only one audit result corresponding to one operation command can be provided, namely the audit result can be allowed to be executed or refused to be executed. The audit results characterize a decision on the operational order, indicating whether the SSH server is permitted to execute the corresponding operational order.
Under the condition that the auditing result is that the execution is allowed, the SSH server executes the operation command; and under the condition that the auditing result is refusal to execute, the SSH server discards the operation command.
In this embodiment, when receiving an operation command from an SSH client, the SSH server does not directly execute the operation command, but obtains and sends information to be audited corresponding to the operation command to the SSH audit server, the SSH audit server completes audit of the information to be audited, obtains a corresponding audit result, and feeds the audit result back to the SSH server. The auditing result represents whether the operation command has safety risk or not, and the SSH server can process the operation command according to the auditing result. Even if the user of the SSH client side lifts the authority through an abnormal way, the safety risk is avoided, and the safety of the SSH server executing the operation instruction is effectively improved.
Further, referring to fig. 6, a flowchart is provided in a sixth embodiment of the command auditing method, based on the embodiment shown in fig. 5, the auditing method in step B20 includes that "auditing the information to be audited based on a preset wind control policy" to obtain an auditing result "is further refined, and includes:
Step B21, loading at least one preset wind control strategy;
step B22, matching the information to be checked with the wind control rules contained in the at least one wind control strategy to obtain rule matching results corresponding to the at least one wind control strategy;
and step B23, determining the auditing result according to the rule matching result corresponding to each of the at least one wind control strategy.
Specifically, to implement command auditing, the SSH auditing server first needs to load at least one preset air control policy. A wind control policy is a set of rules and specifications predefined and configured in a system or network for controlling and managing the operation of a user, protecting against potential risks, ensuring the security and compliance of the system. The wind control policy may include wind control rule types for: (1) user rights management: defining the access authority of the user to the system resource, including file, directory, network service, etc. This may involve rules of ABAC (attribute-based access control) or RBAC (role-based access control). (2) operation type control: the types of operations that are allowed or prohibited are specified, including command execution, file transfer, database queries, and the like. This helps to protect against potentially malicious behavior. (3) time range limitation: a period of time is defined during which the user may perform an operation to limit the user's activity at a particular time. This helps to improve the security of the system. (4) network access control: it is determined from which IP addresses or network segments the user can access to control the security of the external connection. (5) audit log requirements: audit log record requirements for system activity are specified, including which information to record, how long to keep, etc. This helps meet compliance requirements. (6) sensitive operation monitoring: additional audit and monitoring rules are set for sensitive operations in the system (e.g., changing configuration, accessing sensitive data, etc.). (7) abnormal behavior detection: rules are formulated for detecting abnormal or potentially threatening behavior, so as to respond and guard against possible security issues in time. (8) compliance requirements: regulations and compliance requirements for the industry or region in which the organization is located are set to ensure that the system meets relevant standards.
In a computer system, "loading" generally refers to introducing some configuration or data into the memory of the system so that the system can use the configuration or data at runtime. In this embodiment, loading the wind control policy refers to loading the wind control policy into the memory of the SSH audit server, so that the SSH audit server can access the wind control rules and other contents in the wind control policy in real time for a subsequent audit process.
Further, the SSH audit server matches the information to be audited with the wind control rules contained in the at least one wind control strategy respectively, and a rule matching result corresponding to the at least one wind control strategy respectively is obtained. Then, the SSH audit server determines an audit result according to the rule matching result corresponding to each of the at least one wind control strategy.
For example, the SSH audit server is provided with a wind control policy 1, a wind control policy 2 and a wind control policy 3, and the rule matching result indicates that the information to be audited accords with all wind control rules in the wind control policy 3, so that the wind control policy 3 can be determined as a target wind control policy. If the air control strategy 3 is defined as meeting all air control rules and triggering execution of the operation command, the audit result can be determined as 'allowed execution'; if the air control policy 3 is defined to trigger a discard operation command if all air control rules are met, then the audit result may be determined to be "refused to execute". Further, the SSH audit server may feed back (send) the audit result to the SSH server.
In the embodiment, the intelligent audit of the information to be audited is realized by loading a preset wind control strategy. The rule matching result confirms the effective condition of each wind control strategy, is beneficial to timely finding and preventing potential threats and improves the system safety.
Further, referring to fig. 7, a flowchart is provided in a seventh embodiment of the command auditing method, based on the embodiment shown in fig. 6, the determining, in step B23, the auditing result "according to the rule matching result corresponding to each of the at least one wind control policy" further details, includes:
step B231, determining the wind control strategy of which the information to be examined accords with all corresponding wind control rules as a target wind control strategy;
step B232, determining that the corresponding audit result is allowed to be executed according to the target wind control strategy; or determining that the corresponding audit result is refused to be executed according to the target wind control strategy.
Specifically, for each preset wind control strategy, checking whether the information to be audited accords with the wind control rule therein. If all the wind control rules in a certain wind control strategy are successfully matched, the wind control strategy is determined to be a target wind control strategy. If the target wind control strategy is defined to be accordant with all wind control rules and then triggers the execution of the operation command, the audit result can be determined to be 'allowed to be executed'; if the target wind control policy is defined to trigger a discard operation command if all wind control rules are met, then the audit result may be determined to be "refused to execute".
Notably, in one possible implementation, there are multiple wind control policies that match successfully, and then the SSH audit server can select one of them as the target wind control policy. This may be selected based on factors such as priority, policy type, etc.
In this embodiment, a finer audit decision is implemented by defining a target wind control policy that meets all the wind control rules. In the case of permission execution, ensuring that legal operations conforming to all security regulations are executed; under the condition of refusing to execute, the operation which does not accord with the specification is prevented, and the defensive response of the system to illegal behaviors is improved, so that the real-time management and control of potential risks is enhanced.
Further, referring to fig. 8, an eighth embodiment of the command auditing method of the present application provides a flowchart, based on the embodiment shown in fig. 6, where the auditing information includes the operation command, an operation time corresponding to the operation command, IP address information of the SSH client, port information of the SSH client, and a login account of the SSH client, and the matching the to-be-audited information with the wind control rules included in the at least one wind control policy in step B22 to obtain a rule matching result corresponding to the at least one wind control policy is further refined, and includes:
And step B221, matching the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client, the login account of the SSH client and the wind control rules respectively contained in the at least one wind control strategy to obtain rule matching results respectively corresponding to the at least one wind control strategy.
In particular, the method comprises the steps of,
the SSH audit server extracts key data such as an operation command, operation time corresponding to the operation command, IP address information of the SSH client, port information of the SSH client, a login account of the SSH client and the like from the received to-be-audited information. Then, traversing the loaded at least one wind control strategy, and matching the extracted to-be-examined information with wind control rules contained in each wind control strategy. The matching may be based on conditions defined in the wind control rules, such as:
operation command matching: ensuring that the operation command conforms to the allowed or forbidden operation type defined in the rule;
operation time matching: checking whether the operation time is within an allowable time range defined in the rule;
IP address matching: verifying whether the IP address of the SSH client is within an allowable address range defined in the rule;
Port information matching: ensuring that ports used by SSH clients meet the restrictions in the rules;
login account matching: and checking whether the login account of the SSH client meets the requirements in the rule.
Based on the matching process, a rule matching result can be obtained, and the matching result is used for determining a target wind control strategy.
If, as one possible scenario, the wind control policy involves wind control rules related to Mysql database, big data object, application container class, etc., then the process of matching may be further extended, including rule validation for these specific components. For example:
(1) Database rights matching: if the rules relate to a Mysql database, it may be necessary to verify that the user's rights of operation on the database are in compliance with the rules.
DDL rights: for rights in the Database Definition Language (DDL), a user may be prescribed to allow or prohibit operations to create, modify, delete structural elements such as databases, tables, indexes, and the like.
DML rights: for the rights of the Data Manipulation Language (DML), the user may be prescribed to permit or prohibit operations of inserting, updating, deleting data in the database.
DCL rights: for rights in the Data Control Language (DCL), the user may be prescribed to permit or prohibit the authorization, revocation, etc. of the rights.
ABAC authority management: attribute-based access control (ABAC) may require that the user's operational rights match the attributes they have (e.g., user roles, organizations, etc.).
(2) Big data object rights matching: if the rule relates to a large data object, it may be necessary to verify the user's rights to the large data object.
HDFS rights: for the rights of the Hadoop Distributed File System (HDFS), a user may be specified to allow or prohibit operations such as reading and writing files and directories and changing rights.
HBASE authority: for the authority of the Hadoop database (HBase), the user may be specified to allow or prohibit operations such as adding, deleting, modifying and checking the table, managing the column clusters, and the like.
(3) Application container class rights matching: if the rule relates to an application container class (e.g., tomcat), it may be necessary to verify the user's rights to the application container.
Changing configuration rights: the user may be prescribed to enable or disable modification of the configuration file of the application container, including ports, connection pool settings, etc.
Directory rights: for the directory rights of the application container, the user may be prescribed to allow or prohibit reading and writing, execution, etc. of a particular directory.
Sensitive operation authority: if the application container contains sensitive operations (e.g., shut down services, restart, etc.), the user may need the corresponding rights to perform or be prohibited from performing these operations.
In this embodiment, by carefully matching the operation command, time, and client information, a more comprehensive audit is achieved. Matching the key information with the wind control rules of the wind control strategy provides a more specific audit result, is helpful for understanding the compliance of each operation, reduces the false alarm rate, and enhances the sensitivity capture of potential threats.
In addition, the embodiment of the application also provides a command auditing system, which comprises a memory, a processor and a command auditing program stored on the memory and capable of running on the processor, wherein the command auditing program realizes the steps of the command auditing method when being executed by the processor.
Because the command auditing program is executed by the processor, all the technical schemes of all the embodiments are adopted, and therefore, the command auditing program has at least all the beneficial effects brought by all the technical schemes of all the embodiments, and is not described in detail herein.
In addition, the embodiment of the application also provides a computer readable storage medium, wherein a command auditing program is stored on the computer readable storage medium, and the command auditing program realizes the steps of the command auditing method when being executed by a processor.
Because the command auditing program is executed by the processor, all the technical schemes of all the embodiments are adopted, and therefore, the command auditing program has at least all the beneficial effects brought by all the technical schemes of all the embodiments, and is not described in detail herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as above, including several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, a controlled terminal, or a network device, etc.) to perform the method of each embodiment of the present application.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the claims, and all equivalent structures or equivalent processes using the descriptions and drawings of the present application, or direct or indirect application in other related technical fields are included in the scope of the claims of the present application.
Claims (10)
1. A command auditing method, the method being applied to an SSH server, the method comprising:
when an operation command is received, corresponding to-be-checked information is obtained, wherein the operation command is sent to the SSH server by an SSH client;
the information to be audited is sent to an SSH audit server, so that the SSH audit server receives the information to be audited, the information to be audited is audited based on a preset wind control strategy, an audit result is obtained, and the audit result is sent to the SSH server;
receiving the auditing result;
and processing the operation command according to the auditing result.
2. The command auditing method of claim 1, wherein the step of obtaining corresponding audit information comprises:
and acquiring the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client and the login account of the SSH client.
3. The command auditing method of claim 1, wherein before the step of acquiring the corresponding audit information upon receipt of an operation command, further comprises:
and modifying the configuration file of the SSH server so that an SSH service program of the SSH server is configured to execute the steps of acquiring corresponding to-be-checked information and later when an operation command is received.
4. The command auditing method of claim 1, wherein the step of processing the operation command according to the audit result comprises:
executing the operation command under the condition that the auditing result is permission to execute;
and discarding the operation command under the condition that the audit result is refusal to execute.
5. A command auditing method, the method being applied to an SSH auditing server, the method comprising:
receiving to-be-checked information corresponding to an operation command, wherein the to-be-checked information is acquired by an SSH server when the operation command is received and sent to the SSH audit server, and the operation command is sent to the SSH server by an SSH client;
auditing the information to be audited based on a preset wind control strategy to obtain an auditing result;
And sending the auditing result to the SSH server so that the SSH server can receive the auditing result and process the operation command according to the auditing result.
6. The command auditing method according to claim 5, wherein the step of auditing the information to be audited based on a preset wind control strategy to obtain an audit result comprises:
loading at least one preset wind control strategy;
matching the information to be checked with the wind control rules contained in the at least one wind control strategy to obtain rule matching results corresponding to the at least one wind control strategy;
and determining the auditing result according to the rule matching result corresponding to each of the at least one wind control strategy.
7. The command auditing method of claim 6, wherein the step of determining the audit result based on the rule matching results for each of the at least one pneumatic control strategy comprises:
determining the wind control strategy of the information to be examined according with all the corresponding wind control rules as a target wind control strategy;
determining that the corresponding audit result is allowed to be executed according to the target wind control strategy; or determining that the corresponding audit result is refused to be executed according to the target wind control strategy.
8. The command auditing method according to claim 6, wherein the auditing information includes the operation command, an operation time corresponding to the operation command, IP address information of the SSH client, port information of the SSH client, and a login account of the SSH client, and the step of matching the to-be-audited information with the wind control rules respectively included in the at least one wind control policy to obtain rule matching results respectively corresponding to the at least one wind control policy includes:
and matching the operation command, the operation time corresponding to the operation command, the IP address information of the SSH client, the port information of the SSH client, the login account of the SSH client and the wind control rules respectively contained in the at least one wind control strategy to obtain rule matching results respectively corresponding to the at least one wind control strategy.
9. A command auditing system, characterized in that it comprises a memory, a processor and a command auditing program stored on the memory and executable on the processor, which command auditing program, when executed by the processor, implements the steps of the command auditing method according to any of claims 1-4 or 5-8.
10. A computer readable storage medium having stored thereon a command auditing program which when executed by a processor implements the steps of the command auditing method of any of claims 1-4 or 5-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410130209.3A CN117675414B (en) | 2024-01-31 | 2024-01-31 | Command auditing method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410130209.3A CN117675414B (en) | 2024-01-31 | 2024-01-31 | Command auditing method, system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117675414A true CN117675414A (en) | 2024-03-08 |
| CN117675414B CN117675414B (en) | 2024-05-17 |
Family
ID=90071613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410130209.3A Active CN117675414B (en) | 2024-01-31 | 2024-01-31 | Command auditing method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117675414B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| US20130191631A1 (en) * | 2012-01-24 | 2013-07-25 | Ssh Communications Security Corp | Auditing and policy control at SSH endpoints |
| CN109120427A (en) * | 2017-06-26 | 2019-01-01 | 亿阳安全技术有限公司 | A kind of operation audit method and device |
| CN110928754A (en) * | 2019-11-19 | 2020-03-27 | 深圳前海微众银行股份有限公司 | Operation and maintenance auditing method, device, equipment and medium |
| CN112261048A (en) * | 2020-10-22 | 2021-01-22 | 广州锦行网络科技有限公司 | PuTTY-based real-time blocking method for command line behaviors |
| CN112583815A (en) * | 2020-12-07 | 2021-03-30 | 腾讯科技(深圳)有限公司 | Operation instruction management method and device |
| CN112799722A (en) * | 2021-02-08 | 2021-05-14 | 联想(北京)有限公司 | Command recognition method, device, equipment and storage medium |
| CN117435249A (en) * | 2023-10-24 | 2024-01-23 | 联想(北京)有限公司 | Instruction execution method and device and electronic equipment |
-
2024
- 2024-01-31 CN CN202410130209.3A patent/CN117675414B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| US20130191631A1 (en) * | 2012-01-24 | 2013-07-25 | Ssh Communications Security Corp | Auditing and policy control at SSH endpoints |
| CN109120427A (en) * | 2017-06-26 | 2019-01-01 | 亿阳安全技术有限公司 | A kind of operation audit method and device |
| CN110928754A (en) * | 2019-11-19 | 2020-03-27 | 深圳前海微众银行股份有限公司 | Operation and maintenance auditing method, device, equipment and medium |
| CN112261048A (en) * | 2020-10-22 | 2021-01-22 | 广州锦行网络科技有限公司 | PuTTY-based real-time blocking method for command line behaviors |
| CN112583815A (en) * | 2020-12-07 | 2021-03-30 | 腾讯科技(深圳)有限公司 | Operation instruction management method and device |
| CN112799722A (en) * | 2021-02-08 | 2021-05-14 | 联想(北京)有限公司 | Command recognition method, device, equipment and storage medium |
| CN117435249A (en) * | 2023-10-24 | 2024-01-23 | 联想(北京)有限公司 | Instruction execution method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117675414B (en) | 2024-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106326699B (en) | Server reinforcing method based on file access control and process access control | |
| CN109766699B (en) | Operation behavior intercepting method and device, storage medium and electronic device | |
| US8181219B2 (en) | Access authorization having embedded policies | |
| US8893300B2 (en) | Security systems and methods to reduce data leaks in enterprise networks | |
| US7555645B2 (en) | Reactive audit protection in the database (RAPID) | |
| US7818781B2 (en) | Behavior blocking access control | |
| US8850549B2 (en) | Methods and systems for controlling access to resources and privileges per process | |
| US7934101B2 (en) | Dynamically mitigating a noncompliant password | |
| US9148435B2 (en) | Establishment of a trust index to enable connections from unknown devices | |
| US20090247125A1 (en) | Method and system for controlling access of computer resources of mobile client facilities | |
| CN114003943B (en) | Safe double-control management platform for computer room trusteeship management | |
| CN116319024B (en) | Access control method and device of zero trust system and zero trust system | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| EP1643409A2 (en) | Application programming Interface for Access authorization | |
| KR101768942B1 (en) | System and method for secure authentication to user access | |
| CN116708033B (en) | Terminal security detection method and device, electronic equipment and storage medium | |
| CN117675414B (en) | Command auditing method, system and storage medium | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| Fleiner et al. | Security threats based on critical database system privileges | |
| KR100657353B1 (en) | Security system and method for supporting a variety of access control policies, and recordable medium thereof | |
| CN112970021A (en) | Method for realizing system state perception security policy | |
| CN112912879A (en) | Apparatus and method for inter-process secure messaging | |
| CN118233117A (en) | Access control method, device, electronic equipment and storage medium | |
| CN118540114A (en) | Terminal environment dynamic detection system based on dynamic access control | |
| KR100591555B1 (en) | PAM authentication based security kernel system and its control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |