JP2007241549A - Unauthorized access preventing method, unauthorized access preventing system and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent unauthorized access performed after password authentication. <P>SOLUTION: A storage device 3 stores a determination rule 31 which is a rule for performing operation authority acquisition processing, showing the execution order of events and represented by an event string described by a character string. A determination control section 41 hooks the events sequentially carried out by a predetermined user after the success of password authentication of the user. A rule determining section 42 compares the hooked events with the determination rule 31 stored in the storage device 3, and permits the user to perform the same operation as that after log-in when the predetermined number of executed events is in agreement with the determination rule 31, while transmitting instructions of log-out of the user to the determination control section 41 when not in agreement. The determination control section 41 and the rule determination section 42 are executed on the operating system (OS) side. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an unauthorized access prevention method, system, and program executed after password authentication.

  As a countermeasure generally taken as a method for unauthorized access, authentication by a password is often used. If this authentication is passed, the operation authority for the account is granted, and resources such as files in the machine can be accessed. Password authentication is used in many applications, but analysis tools such as password dictionary attacks and brute force attacks are available, and damage to password cracking has been reported. If the password is broken, operations can be performed within the range permitted by the account, and the possibility of damage such as destruction of data in the system or leakage of information becomes very high.

  Therefore, a technique for preventing unauthorized access that does not rely on authentication based on a simple password is disclosed. For example, Patent Literature 1 discloses a user authentication system that allows a system to explicitly input a specific character string or information. Patent Document 2 discloses an unauthorized access prevention system that controls access to resources according to a rule that a subject may or may not execute a certain target. In this system, elements such as subject, type, target, pattern, and operation are prepared as rules.

  Further, Patent Document 3 discloses an unauthorized access trace information maintenance device that prepares a guest OS and records unauthorized commands as a log. Patent Document 4 discloses an unauthorized access prevention method in which processes themselves are classified into a permission process and a general process, and processing after hooking is changed.

  Furthermore, as a related technique, Patent Document 5 describes a fraud monitoring system generally called a (network type) IDS (intrusion detection system) that is performed by monitoring data flowing through a network. This system is a method limited to operations on a network or an external connection device. Patent Document 6 discloses a security for creating a table for giving an execution right for each user in order to give a command execution right when a certain system user executes a certain command, and checking it by referring to this table. A check method is disclosed. This is a concept of setting a system role called single sign-on. With single sign-on, what is originally required for authentication for each server (service) is set up as a role so that a service can be received with a single authentication. The assignment (setting) of services that a user can receive with sign-on is a command.

JP-A-2005-196800 JP 2004-287810 A JP 2005-025517 A JP 2005-166051 A JP 2005-322261 A Japanese Patent Laid-Open No. 11-015549

  By the way, the user authentication system disclosed in Patent Document 1 may cause an unauthorized user to know that an authentication system exists, and may give an attack hint. Also, the unauthorized access prevention system of Patent Document 2 is used for processing that permits or does not allow all operations to a certain user because elements such as subject, type, target, pattern, and operation are required as rules. Is less convenient in terms of rule setting. Furthermore, the unauthorized access trace information maintenance device of Patent Document 3 requires a special guest OS and may lack versatility. In addition, an illegal command or the like is recorded as a log, but the command itself has succeeded and is only a record for a subsequent measure. In addition, the intruder only knows that it is recorded as a log, and there is a possibility that fraud itself cannot be prevented. Further, the unauthorized access prevention method of Patent Document 4 classifies the process itself into a permission process and a general process and changes the processing after the hook, and lacks versatility.

  An object of the present invention is to provide an unauthorized operation prevention method, an unauthorized operation prevention system, and a program for solving the above problems.

  According to an aspect of the present invention, there is provided an unauthorized access prevention method in which a password is authenticated for a predetermined user, and an event that is sequentially executed by the user after successful password authentication is created and stored in advance. And a step of performing a post-login process on the user when a predetermined number of executed events match the determination rule.

  The unauthorized access prevention method according to the first development mode may include a step of performing logout processing for the user when the predetermined number of executed events do not match the determination rule.

  In the unauthorized access prevention method of the second development form, the step of comparing with the determination rule may be executed on the operating system (OS) side.

  In the unauthorized access prevention method according to the third development mode, the determination rule is a rule for performing an operation authority acquisition process, indicating an execution order of events, and may be represented by an event string described in a character string .

  In the unauthorized access prevention method of the fourth development form, the method may further include a step of recording sequentially executed events as log information.

  In the unauthorized access prevention method according to the fifth development mode, when the executed event relates to a predetermined file open process, execution of the read process of the predetermined file may be permitted.

  The unauthorized access prevention method of the sixth development mode may include a step of sending a predetermined message to the user before logout processing.

  An unauthorized access prevention system according to one aspect of the present invention includes a storage device that stores a determination rule for preventing unauthorized access, and hooks an event sequentially executed by the user after successful password authentication for a predetermined user. Compare the determination control unit to the hooked event and the determination rule stored in the storage device, and when the predetermined number of executed events match the determination rule, the same as after login to the user And a rule determination unit that permits the operation.

  A program according to one aspect of the present invention includes a process of performing password authentication for a predetermined user on a computer constituting an unauthorized access prevention system, and an event sequentially executed by the user after successful password authentication. A process for comparing with a judgment rule created and stored in advance and a process after login for the user when a predetermined number of executed events match the judgment rule.

  The first effect of the present invention is that even if a password is broken due to a password attack, a judgment rule is applied to events that are sequentially executed by the user, so that an unauthorized user is not notified that an authentication system exists. It is possible to prevent fraud.

  The second effect of the present invention is that it is not necessary to remember a long password that is difficult to remember. The reason is that there is an unauthorized operation prevention process after password authentication, so that even if the password is broken, unauthorized operation cannot be performed, and this system itself can use character strings related to machine operations such as commands. It is easier to remember than a password like a list of complicated, meaningless, and difficult to remember characters.

  The third effect of the present invention is that it is possible to prevent an infinite number of unauthorized attempts after a password is broken. The reason is that a logout process is automatically performed when an illegal operation is performed a predetermined number of times.

  The fourth effect of the present invention is that the number of rule combinations can be increased, so that damage caused by unauthorized access can be reduced. The reason is not only authentication of one command, but also multiple commands, command execution order, and command options are also part of the authentication. This is because if the file or the like exists and the condition that the command itself is successful is not satisfied, the authentication of the present invention cannot be passed, and when attacking by guessing, the attack must be made in a huge pattern.

  The fifth effect of the present invention is that since the determination process is performed on the OS side, even if there is a vulnerability on the application side that accepts communication such as ssh (secure shell), an unauthorized operation can be prevented. is there.

First, the terms “event”, “hook”, and “determination rule” in the present invention are defined as follows.
Event: Indicates an instruction such as a command input by a user or a system call issued by a process executed by the command.
Hook: Indicates that an event executed by the user interrupts before actually executing in the system including the OS.
Judgment rule: Indicates a rule used when performing operation authority acquisition processing in this system. For example, it is indicated by an event execution order.

  FIG. 1 is a block diagram showing a configuration of an unauthorized access prevention system according to an embodiment of the present invention. In FIG. 1, the unauthorized access prevention system includes an input device 1, a rule creation device 2, a storage device 3, and a data processing device 4. The input device 1 sends a command (event) input by the user to the data processing device 4. It is also used for inputting a rule created by the rule creation device 2. The rule creation device 2 creates a rule for determining a command and sends it to the storage device 3. The storage device 3 records the determination rule 31 created by the rule creation device 2 and the log 32 in the data processing device 4. The data processing device 4 includes a determination control unit 41 and a rule determination unit 42. The rule creation device 2 and the data processing device 4 may be realized by causing a computer constituting the unauthorized access prevention system to execute a predetermined program.

  After password authentication, the determination control unit 41 hooks the input event (command or the like), compares it with the rule of the storage device 3 previously created by the rule creation device 2 by the rule determination unit 42, and is inputted. If the event matches the rule, the operation authority acquisition process is continued. This is repeated, and if all events match the rule, the same operation as that after normal login is permitted for the user. If they do not match, the rule determination unit 42 sends an instruction to log out the user to the determination control unit 41.

  The unauthorized access prevention system having such a configuration prevents unauthorized operation even if the login password is broken in remote access represented by ssh (secure shell) or the like. After password authentication, it seems that login was successful and the operation authority was acquired, but in practice, the operation authority is not given, and the operation for acquiring the operation authority is inserted to prevent unauthorized operation by the cracker. The processing for acquiring the operation authority here is determination processing such as the execution order of a plurality of commands.

  That is, before an event such as an input command is actually executed, a character string of the event and a command character string created in advance on the operating system (OS) side (for example, in the kernel space in Linux or the like) If the two rules match, the operation authority acquisition process is continued. If this process is repeated for a plurality of events and all the events match the rule, the user is allowed to perform the same operation as after normal login. Log out.

  In addition, since the operation authority acquisition determination process is performed on the OS side, even if a program that accepts communication such as ssh is vulnerable and an arbitrary shell is started, the operation authority acquisition determination process is passed. Unauthorized operation can be prevented. That is, when the operation authority acquisition determination process is implemented by a program on the user's application side, the sshd (secure shell daemon) process normally starts the unauthorized operation prevention system as a child process. However, if there are vulnerabilities in ssh etc., the sshd process does not start the unauthorized operation prevention system due to the vulnerability, and suddenly starts a shell, or sshd itself starts as a shell There is a possibility of re-doing. Then, the unauthorized operation prevention system that was originally activated is not activated, and unauthorized operation is permitted. However, in this method, even if the ssh or the like becomes vulnerable as described above, even if the shell is started, the determination process is performed on the OS side, so whether or not the program is started on the user application side. Unauthorized operations can be prevented through the determination process.

Such an unauthorized access prevention system has the following features.
(1) After normal password authentication, a process for acquiring operation authority is added, and after password authentication, it seems that login is successful, but in fact, no operation can be performed.
(2) After password authentication, nothing is returned as a result even if the user inputs a command.
(3) A rule can be described by a character string of an actual command.
(4) The execution order of a plurality of events (commands, etc.) can be made one rule.
(5) An arbitrary number of events can be set in one rule.
(6) An individual rule can be set for each user.
(7) A rule of a user or an operation authority acquisition process does not affect the operation of another user.
(8) The number of events in the actual rule can be hidden by using a dummy counter.
(9) By using a dummy counter, it is possible to limit attempts to illegal operations after password authentication to a finite number of times.
(10) By using a dummy counter, an unauthorized user can be logged out.
(11) A file or directory name can be used in a rule.
(12) When a file or directory name is used in a rule, it is converted to an absolute path even if the user executes an event with a relative path.
(13) Operation authority acquisition fails when an event that does not actually succeed is executed, such as when a file described in a rule does not exist.
(14) A rule can include events with and without command arguments.
(15) When an illegal event is executed, the event can be recorded in a log without actually being executed.
(16) By executing only the event of the file open process (readable, write-prohibited mode), it is possible to hide the presence of this system by making it seem that the intrusion has succeeded at first glance. .
(17) A warning message can be output before the forced logout is performed.

  Hereinafter, it will be described in detail according to the embodiment. FIG. 2 is a block diagram showing the configuration of the data processing apparatus according to the first embodiment of the present invention. In FIG. 2, the data processing device 4 includes a determination control unit 41 and a rule determination unit 42. The determination control unit 41 includes a hook unit 43, an event control unit 44, an event adjustment unit 45, a counter 46, a rule adjustment unit 47, and a rule input unit 48.

  The hook unit 43 hooks an event input from the outside not on the user application side but on the operating system (OS) side (for example, in the kernel space in Linux). The event control unit 44 determines whether or not to perform the operation authority acquisition process, and passes the hooked event to the event adjustment unit 45, or receives a response from the rule determination unit 42 and switches the determination NG flag on / off. , Turn off the hook function, cancel the judgment rule and perform logout processing. The event adjustment unit 45 analyzes the path of the event received from the event control unit 44 and extracts an argument, and converts it into a format that can be used by the rule determination unit 42. The counter 46 counts the number of dummy processes when the operation authority acquisition process fails. The rule adjustment unit 47 reads the determination rule 31 of the user from the storage device 3 after the user passes the password authentication, and adjusts with the determination rule of another user. The rule input unit 48 inputs the determination rule 31 created by the rule adjustment unit 47 to the rule determination unit 42. The rule determination unit 42 actually performs rule determination between a rule and an event.

  FIG. 3 is a block diagram illustrating a configuration of the rule creation device 2. In FIG. 3, the rule creation device 2 receives the determination rule input from the input device 1, and performs rule determination on the rule reception unit 21 that collectively passes to the rule conversion unit 22 and the determination rule 31 that is passed from the rule reception unit 21. It comprises a rule conversion unit 22 that is converted into a format usable by the unit 42 and stored in the storage device 3.

  Next, the operation of the unauthorized access prevention system will be described. First, the rule creation device 2 creates a rule corresponding to the registered user. Here, the rule describes the execution order of a plurality of events and the dummy count number when the authority acquisition process fails. FIG. 4 shows an example of the rule. In FIG. 4, for example, a determination rule 52a (52b, 52c) of a user A is “/ bin / ls -l”, “/ bin / cat auth.txt”, “/ bin / ls -a”, “/ The commands are entered in the order of “bin / cp abc.txt def.c”. This rule can be set individually for each user. The dummy count will be described later.

  The rule input from the input device 1 is received by the rule receiving unit 21, and the input rule is associated with the user who uses the rule. The rule conversion unit 22 converts the rule associated with the user in the rule reception unit 21 into a format that can be used in the actual determination process in the rule determination unit 42 and stores it in the storage device 3.

  Next, an actual operation authority acquisition method in the unauthorized access prevention system will be described. Referring to FIG. 4A, there are an event 51a executed by the user A and a determination rule 52a for the user A. Since “/ bin / ls -l”, which is the event 51a that is executed first, matches with the first one of the determination rule, it returns without executing anything. Note that the event executed by the user A is hooked, and after the above comparison process is performed, the process returns without executing anything, so nothing is performed in the system. However, only a command that is originally successful is regarded as an event that is valid as an operation authority acquisition process. For example, “/ bin / cat auth.txt”, which is the second event 51b shown in FIG. 4B, is successful if the file “auth.txt” can be read and written to the standard output. Any event that fails as an event, such as when the file “auth.txt” does not exist, is also regarded as a failure as an operation authority acquisition process.

  When the next event is input as shown in FIG. 4B, the rule on the next line of the determination rule 52b is compared with the event 51b. If they match, the determination rule continues, so the process returns without executing anything. This is repeated until all rules match. When the rule and the input event all match in order, it is determined that the operation authority has been successfully acquired, the counter is set to 0, and the unauthorized operation prevention function is turned off so that the user A can execute the regular process.

  As shown in FIG. 4C, when the event 51c and the rule 52c are different, or when the event itself fails as described above, the operation authority acquisition fails at that time. When operation authority acquisition fails, the system returns without executing anything.

  If the operation authority acquisition fails, the process of acquiring the operation authority is not immediately performed for the user A and the process such as logout is not performed on the user A, and it looks as if the operation authority acquisition process continues (that is, Since it actually returns without doing anything, it seems that user A does not do anything even if the command is executed), and the event is input for a preset number of dummy counts. Here, the dummy count is preferably set to be different from the actual number of events in the rule. By inputting the event for the dummy count several times after the operation authority acquisition failure, it is possible to prevent an unauthorized user from guessing information about which event matches the rule and how much the event matches.

  If the operation authority acquisition fails, the determination NG flag of the event control unit 44 is turned on, and if the next event for performing the dummy process is received, the hooked information is not sent to the rule determination unit 42 and nothing is done. Returns a return. When the event is executed for the number of dummy counts, the logout process of the user A is performed.

  Next, operation authority acquisition processing in the unauthorized access prevention system will be described. FIG. 5 is a flowchart showing the operation of the unauthorized access prevention system according to the first embodiment of the present invention. In FIG. 5, after creating the rule, the rule adjustment unit 47 reads the user determination rule from the storage device 3 and passes it to the rule input unit 48, and the rule input unit 48 inputs the rule to the rule determination unit 42 ( Step S11).

  The unauthorized access prevention system enters the event hook standby state (step S12).

  When an event is executed from the user A, the event is hooked by the hook unit 43 (step S13). When an event is hooked, the information is passed to the event control unit 44.

  The event control unit 44 has a determination NG flag, and checks the current determination NG flag (step S14). If the determination NG flag is on, the process proceeds to step S20. If the determination NG flag is off, the event hooked event is passed to the event adjustment unit 45, and event adjustment such as path analysis and option extraction is performed (step S15). For example, an option such as “-l” of the event 51a shown in FIG. 4 is extracted, or a path input as a relative path such as “auth.txt” of the event 51b is converted to an absolute path. Information used in the rule determination unit 42 is converted into a format that can be used in actual determination.

  If step S15 is successful, the rule determination unit 42 actually compares the result with the rule, and notifies the event control unit 44 of the result of whether or not they match. (Step S16). If they match and match (match in step S16), 1 is added to the counter 46 (step S17). The counter 46 is used for counting dummy processing when operation authority acquisition fails during the process.

  Next, it is confirmed whether the comparison with all the events described in the rule is completed (step S18). If the comparison with all the events described in the rules has been completed, the operation authority acquisition is completed, the judgment rule that was entered is canceled, or the hook function is turned off and the unauthorized operation prevention function itself is turned off. A is provided with a normal execution environment (step S24).

  If the comparison with all the events described in the rule is not completed in step S18, the hooked event is returned without doing anything (step S23), and the event hook standby state is returned (step S12). .

  If the event adjustment fails in step S15, or if it does not match the rule in step S16, NG is notified to the event control unit 44, and the event control unit 44 turns on the determination NG flag ( Step S19).

  Next, 1 is added to the counter 46 (step S20), and the counter value is compared with the set value of the dummy count (step S21). If the value of the counter is equal to or larger than the set value, the log-in process is performed (step S22) because the event input for the dummy count has been completed.

  If it is less than the set value in step S21, the process proceeds to step S23 to enter the event hook standby state (step S12).

  FIG. 6 is a block diagram showing the configuration of the data processing apparatus according to the second embodiment of the present invention. 6, the event control unit 44a in the data processing device 4a is different from the event control unit 44 and the storage device 3 in FIG. 2 in that a log is output to the storage device 3a.

  FIG. 7 is a flowchart showing the operation of the unauthorized access prevention system according to the second embodiment of the present invention. In FIG. 7, steps S11 to S24 are the same as those in FIG. In step S15, after event adjustment is successful, information on the extracted event (executed command and its argument, etc.) is recorded as a log (step S30). The subsequent steps are the same as in FIG.

  If event adjustment fails in step S15, the determination NG flag is turned on (step S31), the input character string is extracted (step S32), and output to the log (step S33). Here, regardless of the success or failure of path analysis or the like, the input event (command character string or the like) is extracted as it is and recorded in the log. Even when the determination NG flag is on in step S14, the processing after step S32 is performed. Step S20 and subsequent steps are the same as those in FIG.

  In the unauthorized access prevention system that operates as described above, the log stored in the storage device 3a is an operation record when an unauthorized operation is performed, and what kind of event an unauthorized user actually tries to perform. It is recorded whether it did. Therefore, by referring to this log, it can be used for later security measures or can be left as evidence that fraud has been performed.

  FIG. 8 is a flowchart showing the operation of the unauthorized access prevention system according to the third embodiment of the present invention. In FIG. 8, steps S11 to S24 are the same as those in FIG. Referring to FIG. 8, in the present embodiment, what is returned without doing anything with respect to the event hooked in the operation authority acquisition process is the same as the event of the file open process (readable, write prohibited mode). It differs from the first embodiment in that it is executed and the result is returned.

  That is, after “N” in step S18 or after “N” in step S21, in step S41, if the executed event is a file open process (readable, write prohibited mode), the process proceeds to step S42. Advance, execute event and return. If the executed event is other than the file open process (readable, write prohibited mode), the process proceeds to step S23 as in the first embodiment.

  The unauthorized access prevention system that operates as described above can perform file read processing after an unauthorized user breaks the password. It is possible to hide the existence of this system by preventing the tampering process. During this time, the dummy count increases, so that it is possible to log out when the dummy count reaches the set value.

  In this embodiment, an event may be recorded as a log in the same manner as in the second embodiment.

  FIG. 9 is a flowchart showing the operation of the unauthorized access prevention system according to the fourth embodiment of the present invention. In FIG. 9, steps S11 to S24 are the same as those in FIG. Referring to FIG. 9, when the dummy counter becomes equal to or larger than the set value in step S21, it is different from the first embodiment in that the logout is not performed immediately but the message is output (step S51). For example, by outputting a message such as “Unauthorized access has been detected”, a warning is given to an unauthorized user, and an effect of suppressing an attack against the machine again can be obtained.

  In addition, this embodiment may be combined with the second embodiment and the third embodiment.

It is a block diagram which shows the structure of the unauthorized access prevention system which concerns on embodiment of this invention. It is a block diagram which shows the structure of the data processor which concerns on 1st Example of this invention. It is a block diagram which shows the structure of a rule preparation apparatus. It is a figure explaining the example of a determination rule. It is a flowchart showing operation | movement of the unauthorized access prevention system which concerns on 1st Example of this invention. It is a block diagram which shows the structure of the data processor which concerns on 2nd Example of this invention. It is a flowchart showing operation | movement of the unauthorized access prevention system which concerns on 2nd Example of this invention. It is a flowchart showing operation | movement of the unauthorized access prevention system which concerns on 3rd Example of this invention. It is a flowchart showing operation | movement of the unauthorized access prevention system which concerns on 4th Example of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Input device 2 Rule production device 3, 3a Storage device 4, 4a Data processing device 21 Rule receiving part 22 Rule conversion part 31 Determination rule 32 Log 41 Determination control part 42 Rule determination part 43 Hook part 44, 44a Event control part 45 Event Adjustment unit 46 Counter 47 Rule adjustment unit 48 Rule input unit 51a, 51b, 51c Event 52a, 52b, 52c User A determination rule

Claims (21)

Authenticating a password for a given user;
Comparing the event sequentially executed by the user after successful authentication of the password with a determination rule stored in advance and stored;
Performing a post-login process on the user when the predetermined number of executed events match the determination rule;
A method of preventing unauthorized access, comprising:   The unauthorized access prevention method according to claim 1, further comprising a step of performing logout processing on the user when the predetermined number of executed events does not match the determination rule.   The unauthorized access prevention method according to claim 1, wherein the step of comparing with the determination rule is executed on an operating system (OS) side.   The determination rule is a rule for performing an operation authority acquisition process, indicates an execution order of events, and is represented by an event sequence described in a character string. An unauthorized access prevention method according to 1.   The unauthorized access prevention method according to claim 1, further comprising a step of recording the sequentially executed events as log information.   2. The unauthorized access prevention method according to claim 1, wherein when the executed event is related to an open process of a predetermined file, execution of the read process of the predetermined file is permitted.   3. The unauthorized access prevention method according to claim 2, further comprising a step of sending a predetermined message to the user before the logout process. A storage device for storing determination rules for preventing unauthorized access;
A determination control unit that hooks events sequentially executed by the user after successful password authentication for a predetermined user;
When the hooked event is compared with the determination rule stored in the storage device, and the predetermined number of events executed match the determination rule, the same as after login to the user A rule determination unit that permits operation;
An unauthorized access prevention system comprising:   9. The rule determination unit according to claim 8, wherein when the predetermined number of executed events does not match the determination rule, the rule determination unit sends an instruction to log out the user to the determination control unit. Unauthorized access prevention system.   9. The unauthorized access prevention system according to claim 8, wherein the determination control unit and the rule determination unit are executed on an operating system (OS) side.   The determination rule is a rule for performing an operation authority acquisition process, indicates an execution order of events, and is represented by an event string described in a character string. The unauthorized access prevention system described in 1.   9. The unauthorized access prevention system according to claim 8, wherein the storage device records the sequentially executed events as log information.   9. The unauthorized access prevention system according to claim 8, wherein when the executed event is related to an open process of a predetermined file, execution of the read process of the predetermined file is permitted.   The unauthorized access prevention system according to claim 9, wherein a predetermined message is sent to the user before the logout process. On the computers that make up the unauthorized access prevention system,
A process of authenticating a password for a given user;
A process of comparing events sequentially executed by the user after successful authentication of the password with a determination rule created and stored in advance;
When the predetermined number of executed events match the determination rule, processing after login to the user;
A program for running   16. The program according to claim 15, wherein when the predetermined number of executed events does not match the determination rule, the user is caused to execute logout processing.   16. The program according to claim 15, wherein the process for comparing with the determination rule is executed on an operating system (OS) side.   The determination rule is a rule for performing an operation authority acquisition process, indicates an execution order of events, and is represented by an event string described in a character string. The program described in 1.   16. The program according to claim 15, further comprising a process of recording the sequentially executed events as log information.   16. The program according to claim 15, wherein when the executed event relates to a predetermined file open process, execution of the read process of the predetermined file is permitted.   The program according to claim 16, wherein a process of sending a predetermined message to the user is executed before the logout process.

Images