JP5106301B2 - Information processing apparatus and program - Google Patents

Description

  The present invention relates to a communication system, and more particularly, to a communication system including an apparatus that collects data, an apparatus that checks whether the collected data matches a predetermined policy, and the like.

Patent Document 1 discloses a communication system including a WWW (World Wide Web) server and a terminal that is a client.
In Patent Document 1, as shown in FIG. 11, every time a DB change detection unit detects a change made by a DB (Database) change unit of a WWW server, and the DB change detection unit detects a change. An HTML (HyperText Markup Language) screen generation unit creates an HTML screen reflecting DB changes.
When the HTML screen is generated by the WWW server, the HTML screen generation means notifies the state monitoring means provided in the terminal that the new HTML screen has been generated, and upon receiving this notification, the browser accesses the WWW server. The HTML screen is acquired from the WWW server, and the display screen of the display is updated.
Japanese Patent Laid-Open No. 10-240605 “Information Communication System”

When a policy check device that performs a policy check is combined with the communication system disclosed in Patent Document 1, the terminal collects security-related data, transmits the collected data to the policy check device, and the collected data matches the security policy in the policy check device. It is determined whether to do so, and the result of the policy check is written in the DB of the WWW server.
Then, the DB change detection unit of the WWW server detects that a new policy check result has been written, and the HTML screen generation unit creates an HTML screen reflecting the policy check result in accordance with the detection of the policy check result.
When the HTML screen is generated by the WWW server, the HTML screen generation means notifies the state monitoring means provided in the terminal that the new HTML screen has been generated, and upon receiving this notification, the browser accesses the WWW server. The HTML screen is acquired from the WWW server, and the policy check result is displayed on the display.

According to the above configuration, in the terminal, after the state monitoring unit receives a notification that a new HTML screen has been generated, the terminal accesses the WWW server and acquires the policy check result.
Normally, the time required for matching collected data with the security policy is very short, and it is common for policy check results to be generated in a very short time after collected data is sent from the terminal. In this configuration, the terminal accesses the WWW server after detecting the policy check result by the DB change detection unit and the HTML screen generation notification by the HTML screen generation unit. After the policy check result is generated, the terminal There is a problem that it takes time to obtain the check result.
In addition, there is a problem that communication for notifying that a new HTML screen has been generated from the WWW server to the terminal is necessary.

  One of the main objects of the present invention is to solve the above-described problems, and it is a main object of the present invention to make it possible to obtain an inspection result by a policy check at an early stage after data collection is completed.

An information processing apparatus according to the present invention includes:
Connected to a policy inspection apparatus that inspects whether or not the content shown in the collected data matches a predetermined policy, and an inspection result transmission apparatus that transmits inspection result information indicating an inspection result by the policy inspection apparatus,
A data collection unit that collects data used for inspection in the policy inspection apparatus, transmits the collected data to the policy inspection apparatus, and outputs a data collection completion notification for notifying completion of data collection;
When the data collection completion notification output from the data collection unit is input, the inspection result notification device is requested to transmit inspection result information, and the inspection result information is received from the inspection result transmission device as a response to the request. And an inspection result transmission requesting unit.

  According to the present invention, since the data collection unit transmits the collected data to the policy inspection device and outputs a data collection completion notification, the inspection result transmission request unit requests transmission of the inspection result information immediately after the data collection is completed. As a result, the inspection result information can be acquired early.

Embodiment 1 FIG.
FIG. 1 is a diagram illustrating a configuration example of a communication system according to the present embodiment.
As shown in FIG. 1, the communication system according to the present embodiment includes a user terminal device 100, a collected data management device 200, and an interactive application execution management device 300.

The user terminal device 100 is a terminal device used by an employee or a staff member of a company or the like, for example, a personal computer.
The user terminal device 100 collects data related to security measures in the user terminal device 100 and transmits the collected data to the collected data management device 200.
The user terminal device 100 is an example of an information processing device.

The collected data management device 200 is a device that manages information such as the settings of the user terminal device 100, installed programs, applied patches, and the like, determines whether the security policy defined by the organization is met, and notifies when there is a violation. is there.
In other words, the collected data management apparatus 200 checks whether or not the contents of the collected data from the user terminal apparatus 100 match the security policy, and interactively displays the monitoring result information (check result information) that is the result of the policy check. The user terminal apparatus 100 is notified via the application execution management apparatus 300.
The collected data management apparatus 200 is an example of a policy inspection apparatus.

The interactive application execution management device 300 is a device that provides a workflow (WF) application on a web application server.
The interactive application execution management apparatus 300 receives the monitoring result information from the collected data management apparatus 200 and transmits it to the user terminal apparatus 100.
The interactive application execution management device 300 is an example of a test result transmission device.

In FIG. 1, the collected data management device 200 and the interactive application execution management device 300 are separate devices, but the collected data management device 200 may serve as the interactive application execution management device 300.
That is, the collected data management device 200 may perform a policy check, and the collected data management device 200 may transmit the monitoring result information to the user terminal device 100.

  Next, internal configuration examples of the user terminal device 100, the collected data management device 200, and the interactive application execution management device 300 will be described.

In the user terminal device 100, the agent execution unit access unit 101 requests the interactive application execution management device 300 to transmit monitoring result information when a data collection completion notification output from the agent execution unit 102 described later is input. The monitoring result information transmitted from the interactive application execution management apparatus 300 as a response to the request is received via the communication unit 103. The agent execution unit access unit 101 is an example of an inspection result transmission request unit.
The agent execution unit 102 collects data used for the policy check in the collected data management device 200 such as user terminal device settings (operating system settings, etc.), installed software, applied patches, and the like. The data is transmitted to the collected data management apparatus 200 via the communication unit 103. Further, when the data collection is completed, a data collection completion notification for notifying that the data collection is completed is output to the agent execution unit access unit 101. The agent execution unit 102 is an example of a data collection unit.
The communication unit 103 communicates with the collected data management device 200 and the interactive application execution management device 300.
The input unit 104 inputs an instruction from a user who uses the user terminal device 100.
The display unit 105 displays screen information to a user who uses the user terminal device 100. The display unit 105 displays, for example, screen information of monitoring result information by the collected data management apparatus 200.
The browser 106 accesses the interactive application execution management apparatus via the communication unit 103 and causes the display unit 105 to display a workflow screen.
The agent execution unit access unit 101 is disposed in the browser 106.

Next, in the collected data management apparatus 200, the policy determination unit 201 determines whether the collected data from the user terminal apparatus 100 matches the security policy, and generates monitoring result information.
The collected data 202 is information used for policy checks such as settings, programs, and patches transmitted from the user terminal device 100.
The monitoring result information 203 is result information obtained by determining whether the collected data matches the policy information determined by the policy determining unit 201. The monitoring result information 203 is information obtained by removing the expiration date and the lifetime from the contents shown in FIG. 6, for example. That is, for each user terminal device 100, the result (conditional result) of whether or not the inspection target item (information name) matches the security policy is shown. The expiration date and the lifetime will be described in Embodiment 2.
The policy information storage unit 204 stores policy information. The policy information is information describing the security policy of the organization, and includes information such as a value that should be set in the terminal, a list of software to be installed, a list of software that should not be installed, and a list of patches to be applied.
The communication unit 205 communicates with the user terminal device 100 and the interactive application execution management device 300.

Next, in the interactive application execution management apparatus 300, the screen information generation unit 301 generates screen information. The screen information includes screen layout and display contents of screen information of a web application described in HTML or JSP (registered trademark) (Java (registered trademark) Server Pages) format. In the present embodiment, the screen information generation unit 301 generates screen information of monitoring result information from the collected data management apparatus 200.
The data acquisition unit 302 receives the monitoring result information 203 from the collected data management device 200 and transmits the screen information of the monitoring result information 203 to the user terminal device 100 via the communication unit 303.

Next, an operation example according to the present embodiment will be described in the order of (1) to (8) in FIG.
(1) The screen information generation unit 301 of the interactive application execution management apparatus 300 transmits an initial screen to the browser 106 in response to a request from the browser 106 by a user operation. In this initial screen, the definition of the agent execution unit access unit 101 is described.
(2) Next, the agent execution unit 102 is activated from the browser 106 through the agent execution unit access unit 101, and the agent execution unit 102 collects data of the user terminal device 100.
(3) Next, the agent execution unit 102 transmits the collected data to the collected data management apparatus 200 via the communication unit 103. At this time, the agent execution unit 102 confirms that the collected data management apparatus 200 has received the collected data through a synchronous process. In the collected data management apparatus 200, the policy determination unit 201 performs a policy check from the collected data and policy information, and generates monitoring result information.
(4) The agent execution unit 102 notifies the agent execution unit access unit 101 that the data collection has been completed along with the transmission of the collected data in (3) above.
(5) The agent execution unit access unit 101 uses the function of the browser 106 to request the data acquisition unit 302 of the interactive application execution management apparatus 300 to transmit the monitoring result information via the communication unit 103 ( HTTP (Hypertext Transfer Protocol) request is transmitted). This request is made without the user's operation after the execution of the above (4).
(6) Next, the data acquisition unit 302 receives monitoring result information from the collected data management device 200.
(7) Next, the screen information generation unit 301 generates screen information of the monitoring result information, and the data acquisition unit 302 transmits the screen information of the monitoring result information to the user terminal device 100.
(8) Finally, the agent execution unit access unit 101 acquires the screen information of the monitoring result information via the communication unit 103 and causes the display unit 105 to display the screen information of the monitoring result information.

As described above, in the present embodiment, when the data collection is completed in the agent execution unit 102, the agent execution unit access unit 101 is notified that the data collection is completed, and the agent execution unit access unit 101 immediately receives the interactive application. It requests the execution management apparatus 300 to transmit monitoring result information.
Most of the time required for the policy check is the time required for data collection, and the time required for collating the collected data with the security policy and generating the monitoring result information is very short.
As described above, since the monitoring result information is generated within a short time from the completion of the data collection, the monitoring result information can be acquired early by requesting the transmission of the monitoring result information immediately after the data collection is completed. be able to.
In addition, when the policy check is performed using the configuration illustrated in FIG. 11, the WWW server notifies the terminal that the monitoring result information has been generated, and the terminal transmits the monitoring result information to the WWW server in response to the notification. In response to the request, monitoring result information is transmitted from the WWW server to the terminal. In this embodiment, monitoring result information from the interactive application execution management device 300 to the user terminal device 100 is transmitted. Is not required, and the number of communication and the amount of communication between devices can be reduced.

Further, in a communication system including a general WWW server and a terminal, the WWW server does not notify the terminal that the monitoring result information has been generated. In addition, since the function for collecting data used for policy check and the browser requesting the transmission of monitoring result information are not linked to a normal terminal, at what timing data collection was completed in the browser Since the timing at which the monitoring result information is generated cannot be grasped, the browser repeatedly requests the WWW server to transmit the monitoring result information (repeats the HTTP request).
In this regard, in the present embodiment, the agent execution unit access unit 101 is notified of the completion of data collection from the agent execution unit 102, and receives the notification to monitor the interactive result execution management apparatus 300. Therefore, there is no situation where the monitoring result information transmission request is repeatedly made, and the number of communication between devices and the communication amount can be reduced.

  1 is executed asynchronously by using Ajax (Asynchronous Java (registered trademark) Script + XML), the user can access the interactive application execution management apparatus 300 even when the browser 106 is accessing the interactive application execution management apparatus 300. Can use the browser 106.

In the procedure of (5) in FIG. 1, the agent execution unit access unit 101 requests transmission limited to monitoring result information on the collected data collected by the agent execution unit 102 and transmitted to the collected data management apparatus 200. can do. For example, the settings in the user terminal device 100 and the information of the software list installed in the user terminal device 100 have been previously transmitted from the agent execution unit 102 to the collected data management device 200 and are newly applied to the user terminal device 100 this time. When the list of patches that have been sent is transmitted from the agent execution unit 102 to the collected data management device 200, the collected data management device 200 not only checks the patch list, but also sets and installs software in the user terminal device 100. Although the monitoring result information including the inspection result is generated, the agent execution unit access unit 101 generates only the monitoring result information indicating the inspection result for the patch list transmitted from the agent execution unit 102 to the collected data management apparatus 200 this time. I will send It may request the interactive application execution management unit 300.
The interactive application execution management apparatus 300 requests the collection data management apparatus 200 to transmit only the monitoring result information about the patch list, or the patch list from the monitoring result information transmitted from the collection data management apparatus 200. Only the monitoring result information is extracted, and only the monitoring result information of the patch list is transmitted to the agent execution unit access unit 101.
As described above, the agent execution unit access unit 101 can select and receive the monitoring result information indicating the inspection result for the data transmitted from the agent execution unit 102 to the collected data management apparatus 200.

  As described above, in this embodiment, the browser in the user terminal device has the agent execution unit access unit, the agent execution unit sends the collection data to the collection data management device, and the policy determination unit of the collection data management device monitors the monitoring result information. A security check system in which the display contents are generated by the data acquisition unit of the interactive application execution management device, and the browser acquires the display content from the interactive application execution management device after the agent execution unit sends the collected data did.

Embodiment 2. FIG.
In the first embodiment described above, the network load related to the transmission of the monitoring result information is reduced by requesting the transmission of the monitoring result information when the data collection is completed in the user terminal device. Next, an embodiment for reducing the load when acquiring collected data will be described.

In the security policy, the expiration date of the monitoring result information may be set for each policy.
For example, for a policy for determining whether or not the password used in the user terminal device 100 is longer than a specified password length, if the expiration date is 1 day, 1 day or more has passed since the creation of the monitoring result information In this case, since the monitoring result information has expired, the collected data management apparatus 200 needs to newly acquire the current password from the user terminal apparatus 100 and perform the policy check again.
On the other hand, it is not necessary to collect data corresponding to the monitoring result information within the expiration date.
As described above, in the present embodiment, when the policy check is executed, the time required for the data collection is reduced by newly collecting only the missing data other than the data within the expiration date, and thus the time required for the policy check is reduced. This is the main purpose.

  FIG. 2 shows a configuration example of a communication system according to the present embodiment.

The communication system according to the present embodiment includes an AD (Active Directory) 700 and a WSUS (Windows (registered trademark) Server Update Services) 800 in addition to the user terminal device 400, the collected data management device 500, and the interactive application execution management device 600. Is included.
The user terminal device 400 performs the same processing as the user terminal device 100 of the first embodiment, but the internal configuration example and operation details are different. In the present embodiment, the user terminal device 400 is an example of a terminal device.
The collected data management apparatus 500 performs the same processing as the collected data management apparatus 200 of the first embodiment, but the internal configuration example and operation details are different. In the present embodiment, the collected data management device 500 is an example of a management device.
The interactive application execution management apparatus 600 performs the same processing as the interactive application execution management apparatus 300 of the first embodiment, but the internal configuration example and operation details are different.
The AD 700 and WSUS 800 collect specific types of data. AD700 and WSUS800 are examples of server devices.

In the user terminal device 400, the browser 401 transmits and receives data to and from the interactive application execution management device 600 via the communication unit 404. Specifically, the interactive application execution management apparatus 600 is requested to transmit monitoring result information, and the monitoring result information is received from the interactive application execution management apparatus 600.
The agent control unit 403 of the agent execution unit 402 collects data used for the policy check. The agent control unit 403 collects data of a type defined in getAgeInfo of a collection data acquisition unit 507 described later among data used for policy check. The agent control unit 403 receives a command from getAgentInfo, controls the agent execution unit 402, collects information on the user terminal device 400, and sends it to getAgentInfo of the collected data acquisition unit 507.
Specifically, the agent control unit 403 collects data unique to the user terminal device 400, and general data related to security measures that is not unique to the user terminal device 400 is collected in the AD700 or WSUS800.
The communication unit 404 communicates with the collected data management device 500 and the interactive application execution management device 600.
The input unit 405 inputs an instruction from a user who uses the user terminal device 400.
The display unit 406 displays screen information to a user who uses the user terminal device 400. The display unit 406 displays screen information of monitoring result information by the collected data management device 500, for example.

  In the collected data management apparatus 500, the policy determination unit 501 performs a check to check whether the data acquired by the collected data acquisition unit 507 matches the inspection standard of the corresponding inspection item, and indicates the inspection result. Result information (inspection result information) is generated. The policy determination unit 501 is an example of an inspection execution unit.

The policy information storage unit 502 stores policy information. In the present embodiment, the policy information is roughly divided into a policy table 5021, an information table 5022, and a type table 5023 as shown in FIG.
An example of each table is shown in FIG. Details of each table will be described later.

The communication unit 503 communicates with the user terminal device 400 and the interactive application execution management device 600.
The communication unit 503 receives, for example, identification information of the user terminal device 400 (test target terminal device) that is a test target from the interactive application execution management device 600, and receives the monitoring result information generated by the policy determination unit 501. The data is transmitted to the user terminal device 400 via the interactive application execution management device 600.
The communication unit 503 is an example of an inspection object identification information reception unit and an inspection result information transmission unit.

The monitoring result information 504 is information obtained by determining whether the collected data matches the policy information determined by the policy determining unit 501. In this embodiment, as shown in FIG. 6, the expiration date and the lifetime are shown.
The monitoring result information storage unit 505 stores monitoring result information 504. The monitoring result information storage unit 505 is an example of an inspection result information storage unit.
The collected data 506 is data collected by the collected data acquisition unit 507 from the user terminal device 400, AD700, and WSUS800.

The collected data acquisition unit 507 obtains the monitoring result information of the inspection target user terminal device 400 stored in the monitoring result information storage unit 505 based on the identification information of the inspection target user terminal device 400 received by the communication unit 503. Based on the expiration date of the inspection item included in the extracted monitoring result information of the extracted user terminal device 400 to be inspected, the inspection item requiring inspection is extracted.
Further, the collected data acquisition unit 507 acquires data corresponding to the extracted inspection item from the user terminal device 400, AD700, and WSUS800.
The collected data acquisition unit 507 is an example of an inspection item extraction unit and a data acquisition unit.
Note that the collected data acquisition unit 507 includes units such as getAngeInfo, getADInfo, and getWSUSInfo.
getAngeInfo is a means for acquiring collected data from the agent execution unit 402 of the user terminal device 400.
getADInfo is a means for acquiring collected data from the AD 700.
getWSUSInfo is a means for acquiring collected data from WSUS800.
Details of these three types of data acquisition means will be described later.
In addition to these three types, a means for acquiring other data may be provided.

In the interactive application execution management apparatus 600, the screen information generation unit 601 generates screen information in the same manner as the screen information generation unit 301 of the first embodiment.
The model execution unit 602 controls processing based on an activity diagram which is a type of UML (Unified Modeling Language) diagram. An example of an activity diagram is shown in FIG. In this example, starting from the initial state, the draft (initial screen) is displayed, the process branches depending on whether the data collection source is the user terminal device, or otherwise, from the agent if the data collection source is the user terminal device Execute data acquisition and policy check, and display draft (submission screen). At the time of model execution, $ host is replaced with the host name of the target user terminal device. The host name is obtained from the browser. Thereafter, an approval process is performed.
In the middle of transition from draft (initial screen) to draft (submission screen), if you are trying to get the monitoring results required for screen display and the type of data is agent information, branch to the right and branch from the agent. Perform data acquisition. The operation (3) in FIG. 2 corresponds to a draft (initial screen). The determination of branching is included in the operation (4). The operation for obtaining data from the agent is (5).
The data acquisition unit 603 transmits the identification information of the user terminal device 400 to be inspected to the collected data management device 500 via the communication unit 604, receives the monitoring result information 504 from the collected data management device 500, The screen information of the monitoring result information 504 is transmitted to the user terminal device 400 via the communication unit 604.
The communication unit 604 communicates with the user terminal device 400 and the collected data management device 500.

Next, policy information according to the present embodiment will be described.
As described above, FIG. 5 shows an example of each table of policy information.
FIG. 5A shows an example of a policy table, FIG. 5B shows an example of an information table, and FIG. 5C shows an example of a type table.

The policy table includes items of a policy name, an information name, a conditional expression, and an expiration date of the monitoring result.
In the example of FIG. 5A, an inspection standard for inspecting whether or not the password in the user terminal device 400 is equal to or longer than a prescribed password length (8 characters) is shown.
The expiration date of the monitoring result defines the expiration date of the monitoring result information. In FIG. 5A, one day is shown as the expiration date of the monitoring result, and when one day has passed since the execution of the inspection, a new password is obtained from the user terminal device 400, and the password with the prescribed password length is again obtained. It has been shown that it is necessary to check whether it is longer or longer.

The information table 5022 includes items of information name, type, terminal name, value, and lifetime.
The information name item in the information table 5022 corresponds to the information name item in the policy table 5021.
The type item indicates an attribute of the collected data. Specifically, it indicates whether the data is collected from the agent execution unit 402 of the user terminal device 400 (agent information), the data collected from the AD 700 (AD information), or the data collected from the WSUS 800 (WSUS information). .
The item of the terminal indicates identification information (IP address in the example of FIG. 5B) of the terminal to which the policy is applied.
In the value item, a value applied to the conditional expression of the policy table is shown.
The lifetime is a period for storing collected data and monitoring result information. In the example of FIG. 5B, the collected data and the monitoring result information are stored for 60 days from the collection date and the monitoring result information generation date. The lifetime is determined from the amount of data held in the entire system.

The type table 5023 includes items of type, collection means, collection source, and collection interval.
The type item in the type table 5023 corresponds to the type item in the information table 5022.
Each item of getAngeInfo, getADInfo, and getWSUSInfo is shown in the item of collection means.
The item of collection source shows identification information of the data collection source. The collection source is fixed (server name, IP address, etc.) or variable ($ host, etc.) by the collection means. In the case of a variable, a value is passed from the interactive application execution management apparatus 600 side or a setting file is referred to.
The collection interval indicates a data collection interval.

FIG. 6 shows an example of monitoring result information according to the present embodiment.
The results of the target terminal name, information name, and conditional expression are as described in the first embodiment.
The expiration date is calculated from the current time (when the monitoring result information is generated) using the expiration date of the policy table 5021. The lifetime is a time limit for storing the monitoring result information, and is calculated from the current time (at the time of generating the monitoring result information) using the lifetime in the information table.

FIG. 7 shows an example of collected data.
The collected data includes information on the information name, type name, terminal name, value, and lifetime.
The information name corresponds to the information name in the policy table 5021.
The type name corresponds to the type in the information table 5022.
The terminal name indicates the IP address of the user terminal device 400 to be inspected, and corresponds to the terminal name in the information table 5022.
The value is a value collated with the conditional expression in the policy table 5021. The example in FIG. 7 indicates that the password is 10 characters.
The lifetime is a time limit for holding the collected data, and is calculated from the current time (at the time of acquisition of the collected data) using the lifetime of the information table.

  Next, an operation example according to the present embodiment will be described in the order of (1) to (8) in FIG.

(1) The screen information generation unit 601 of the interactive application execution management apparatus 600 transmits an initial screen to the browser 401 in response to a request from the browser 401 by a user operation.
(2) The browser 401 requests the data acquisition unit 603 to transmit the monitoring result information of the user terminal device 400 in response to an operation from the user. The request includes identification information (for example, an IP address) of the user terminal device 400. At this time, by issuing a request using Ajax, the user during the operation after (3) can operate the browser.
(3) In accordance with the workflow definition (FIG. 3) managed by the model execution unit 602, the data acquisition unit 603 passes the identification information of the user terminal device 400 to the collected data management device 500 and requests transmission of monitoring result information. .
(4) Next, in the collected data management apparatus 500, the collected data acquisition unit 507 is notified from the monitoring result information in the monitoring result information storage unit 505, the policy information in the policy information storage unit 502, and the data acquisition unit 603. Based on the identification information of the user terminal device 400, the inspection item (information name) that needs to be inspected this time is extracted, and the data corresponding to the extracted inspection item is transmitted to the agent control unit 403, AD700, WSUS800 of the user terminal device 400. To request. Details of the procedure (4) will be described later.
(5) Next, the collected data acquisition unit 507 receives data collected by each of the agent control unit 403, AD700, and WSUS800 of the user terminal device 400.
Then, the policy determination unit 501 performs a policy check from the collected data and the policy information, and generates monitoring result information.
(6) Next, monitoring result information is transmitted from the collected data management device 500 to the interactive application execution management device 600.
(7) Next, in the interactive application execution management device 600, the data acquisition unit 603 receives the monitoring result information, the screen information generation unit 601 generates screen information of the monitoring result information, and the data acquisition unit 603 receives the monitoring result. Information screen information is transmitted to the user terminal device 400.
(8) Finally, the browser 401 acquires the screen information of the monitoring result information via the communication unit 103 and causes the browser 106 to display the screen information of the monitoring result information.

Next, an operation example of the collected data management apparatus 500 according to the present embodiment will be described with reference to FIGS.
FIG. 8 is a flowchart showing the entire operation procedure of the collected data management apparatus 500, and FIG. 9 is a flowchart showing details of the processing in step S802 of FIG.

First, in FIG. 8, the communication unit 503 receives a terminal name (IP address) that is identification information of the user terminal device 400 to be inspected transmitted from the interactive application execution management device 600 (S801).
Next, the collected data acquisition unit 507 is based on the monitoring result information in the monitoring result information storage unit 505, the policy information in the policy information storage unit 502, and the identification information of the user terminal device 400 notified from the data acquisition unit 603. The acquisition target data and acquisition destination (agent control unit 403, AD700, WSUS800 of the user terminal device 400) are specified (S802), and transmission of the acquisition target data is requested from the specified acquisition destination.
Next, the collected data acquisition unit 507 receives the collection data to be acquired from the acquisition destination via the communication unit 503 (S803).
Next, the policy determination unit 501 performs a policy check from the collected data and the policy information, and generates monitoring result information (S804).
Next, the communication unit 503 transmits the monitoring result information generated by the policy determination unit 501 to the interactive application execution management device 600 (S805).
Next, the policy determination unit 501 stores the monitoring result information generated in step S804 in the monitoring result information storage unit 505. At this time, the expiration date and the lifetime are written in the monitoring result information, and the monitoring result information is in the format shown in FIG.
Similarly, the policy determination unit 501 writes the lifetime in the collected data, and stores it in a predetermined recording area (for example, the monitoring result information storage unit 505) as the collected data in the format shown in FIG.

  Next, the details of step S802 in FIG. 8 will be described with reference to FIG.

In the collected data acquisition unit 507, the terminal name (IP address) notified from the interactive application execution management apparatus 600 and the terminal name (IP address) of the monitoring result information (FIG. 7) stored in the monitoring result information storage unit 505 Are compared (S901).
Next, the collected data acquisition unit 507 extracts, from the monitoring result information, records whose terminal names match and whose expiration date has not expired (S902). That is, a record of monitoring result information in which a terminal name that matches the terminal name notified from the interactive application execution management apparatus 600 is indicated and a date later than the current date is indicated as an expiration date is extracted.
Next, the collected data acquisition unit 507 compares the information name of the record of the monitoring result information extracted in step S902 with the information name of the policy table 5021 (FIG. 5A) (S903).
Then, the collected data acquisition unit 507 extracts records whose information names do not match from the policy table 5021 (S904).
That is, from the inspection items (information names) indicated in the policy information, inspection items other than the inspection items (in-time inspection items) whose inspection results are within the expiration date in the monitoring result information of the user terminal device 400 are extracted.
The record extracted in step S904 is a record indicating an inspection item that needs to be inspected this time, that is, an inspection item for which the inspection result within the current expiration date is insufficient, and is referred to as an insufficiency policy record.

Next, the collected data acquisition unit 507 compares the information name of the shortage policy record with the information name of the information table 5022 (FIG. 5B), and the terminal notified from the interactive application execution management device 600 The name is compared with the terminal name in the information table 5022 (S905).
Next, the collected data acquisition unit 507 extracts a record in which the information name matches the terminal name from the information table 5022 (S906).
In the information table 5022, since the type is specified for each information name and each terminal name, the type to be applied is selected from the information name of the shortage policy record and the terminal name notified from the interactive application execution management apparatus 600.
Next, the collected data acquisition unit 507 compares the record type of the information table extracted in step S906 with the type of the type table (FIG. 5C) (S907).
Next, the collected data acquisition unit 507 extracts records having the same type from the type table (S908), and acquires the acquisition target record based on the collection means indicated in the extracted record (S909).
When getAgentInfo is shown in the collection means column, data is requested from the agent control section 403 of the agent execution section 402 operating on the user terminal device 400 using this collection means. When getADInfo is indicated in the collection means column, the AD 700 is requested for data. When getWSUSInfo is shown in the collection means column, data is requested to WSUS 800.

As described above, the agent execution unit 402 is provided with the agent control unit 403 that receives control from the collection data management device 500, and controls the operation of the agent execution unit 402 from the collection data management device 500 side.
Further, the definition (model) of the interactive application execution management device 600 is described in an activity diagram, and when the activity “data acquisition from agent” is executed, the agent activation / data collection to the collection data management device 500, Request execution of policy check.
Accordingly, when the browser 401 issues a request to the interactive application execution management apparatus 600, the collection data management apparatus 500 requests the agent to collect data, and generates monitoring result information from the collection information. Therefore, policy checks can be performed when necessary.
Further, if the inspection result of the monitoring result information is within the expiration date, it is not necessary to acquire new data. For this reason, it is not necessary to acquire data from the agent execution unit 402 every time, and the number of data to be collected The network load in data collection and the data collection load in the user terminal device 400 can be reduced.
Even when overlapping data is collected for each type of the collected data acquisition unit 507, only necessary data can be collected.
In addition, since the timing for executing the policy check can be described in a model, the data acquisition procedure, timing, and check contents can be described together in the model format.

  As described above, in the present embodiment, the collection data management apparatus has the collection data acquisition unit, the agent execution unit that acquires data by the control from the collection data acquisition unit, and the monitoring result from the policy data and the collection data. It has a policy judgment unit that generates information and means for storing monitoring result information. The interactive application execution management device has a model execution unit. By using the model, the monitoring data is requested from the collected data management device and displayed. The data acquisition unit generates the policy check timing, describes the timing of the policy check by the model, collects the saved monitoring result information and the deficient data by the collected data acquisition unit, and generates the monitoring result information by the policy judgment unit The display contents are generated by the interactive application execution management device and displayed in the browser. It was described Interview utility check system.

Finally, the user terminal device 100, the collected data management device 200, the interactive application execution management device 300, the user terminal device 400, the collected data management device 500, and the interactive application execution management device 600 (shown in the first and second embodiments) Hereinafter, a hardware configuration example of the user terminal device 100 will be described.
FIG. 10 is a diagram illustrating an example of hardware resources such as the user terminal device 100 described in the first and second embodiments.
10 is merely an example of the hardware configuration of the user terminal device 100 or the like, and the hardware configuration of the user terminal device 100 or the like is not limited to the configuration illustrated in FIG. There may be.

In FIG. 10, the user terminal device 100 and the like include a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

  The communication board 915 is connected to the network. For example, the communication board 915 is connected to a LAN (local area network), the Internet, a WAN (wide area network), or the like.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the user terminal device 100 or the like is activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  The program group 923 stores programs that execute the functions described as “˜units” in the description of the first and second embodiments. The program is read and executed by the CPU 911.

In the description of the first and second embodiments, the file group 924 includes “determination of”, “comparison of”, “extraction of”, “specification of”, “setting of”, and “registration of”. Information, data, signal values, variable values, and parameters indicating the results of the processing described as "", "selection", etc. are stored as items of "~ file" and "~ database".
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowcharts described in the first and second embodiments mainly indicate input / output of data and signals, and the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, DVDs, and the like. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “˜unit” in the description of the first and second embodiments may be “˜circuit”, “˜device”, “˜device”, and “˜step”, It may be “˜procedure” or “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” in the first and second embodiments. Alternatively, the computer executes the procedure and method of “to unit” in the first and second embodiments.

  As described above, the user terminal device 100 and the like shown in the first and second embodiments include a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, and a display device as an output device, A computer including a communication board or the like, and implements the functions indicated as “˜units” as described above using these processing devices, storage devices, input devices, and output devices.

1 is a diagram illustrating a configuration example of a communication system according to Embodiment 1. FIG. FIG. 4 is a diagram illustrating a configuration example of a communication system according to a second embodiment. The figure which shows the example of the activity diagram which the interactive application execution management apparatus which concerns on Embodiment 2 uses. FIG. 10 is a diagram showing a configuration example of policy information according to the second embodiment. FIG. 10 is a diagram illustrating an example of a policy table, an information table, and a type table according to the second embodiment. FIG. 10 is a diagram illustrating an example of monitoring result information according to the second embodiment. FIG. 6 shows an example of collected data according to the second embodiment. FIG. 10 is a diagram illustrating an operation example of the collected data management apparatus according to the second embodiment. FIG. 10 is a diagram illustrating an operation example of the collected data management apparatus according to the second embodiment. The figure which shows the hardware structural examples, such as the user terminal device 100 which concerns on Embodiment 1 and 2. FIG. The figure which shows the structure of a prior art.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 User terminal device, 101 Agent execution part access part, 102 Agent execution part, 103 Communication part, 104 Input part, 105 Display part, 106 Browser, 200 Collection data management apparatus, 201 Policy judgment part, 202 Collection data, 203 Monitoring result Information, 204 Policy information storage unit, 205 Communication unit, 300 Interactive application execution management device, 301 Screen information generation unit, 302 Data acquisition unit, 303 Communication unit, 400 User terminal device, 401 Browser, 402 Agent execution unit, 403 agent Control unit, 404 communication unit, 405 input unit, 406 display unit, 500 collected data management device, 501 policy judgment unit, 502 policy information storage unit, 503 communication unit, 504 monitoring result information, 505 monitoring result information description Department, 506 collected data, 507 collected data acquisition unit, 600 an interactive application execution management apparatus, 601 scene information generating section, 602 model execution unit, 603 data acquisition unit, 604 communication unit, 700 AD, 800 WSUS.

Claims (4)

Connected to a policy inspection apparatus that inspects whether or not the content shown in the collected data matches a predetermined policy, and an inspection result transmission apparatus that transmits inspection result information indicating an inspection result by the policy inspection apparatus,
A data collection unit that collects data used for inspection in the policy inspection device, and transmits the collected data to the policy inspection device;
When the data collection unit completes data collection, the inspection result transmission request is sent to the inspection result transmission device, and the inspection result transmission request is received from the inspection result transmission device as a response to the request. And an information processing apparatus. The inspection result transmission request unit includes:
The information processing apparatus according to claim 1, wherein the information processing apparatus selects and receives inspection result information indicating an inspection result for data transmitted from the data collection unit to the policy inspection apparatus. The information processing apparatus includes:
Connected to a policy checking device that checks whether the contents shown in the collected data match the security policy,
The data collection unit
The information processing apparatus according to claim 1, wherein data relating to security measures in the information processing apparatus is collected. It is connected to a policy inspection apparatus that inspects whether or not the contents shown in the collected data match a predetermined policy, and an inspection result transmission apparatus that transmits inspection result information indicating an inspection result by the policy inspection apparatus. On the computer,
Data collection processing for collecting data used for inspection in the policy inspection apparatus and transmitting the collected data to the policy inspection apparatus;
When the data collection process completes data collection, the inspection result transmission apparatus requests the inspection result transmission apparatus to transmit inspection result information, and receives the inspection result information from the inspection result transmission apparatus as a response to the request. A program characterized by causing processing to be executed.

Images