JP5150546B2 - Information processing apparatus, operation history acquisition method, computer program - Google Patents

Description

  The present invention relates to a technique for recording an operation history such as a command input on a shell program operating outside an OS kernel.

In recent years, confidential data in a company is often concentrated on a server rather than a terminal device such as a client PC (Personal Computer). For example, in a desktop environment using SaaS (Software as a Service), files created by any of the terminal devices are collectively stored in the server. In addition, with the spread of CRM (Customer Relationship Management), customer data is often managed collectively using a server.
In such a situation, there is a risk that a user having access authority to the server may illegally acquire or use confidential data exceeding the originally assigned authority. Therefore, there is an increasing need to suppress such illegal acts.

  As one of the countermeasures, there is a technique for suppressing unauthorized actions by recording all operation histories such as commands input by a user having access authority. In this method, for example, an operation command by a user is recorded by acquiring an execution command like a key logger or capturing and collecting a screen periodically. A conventional program for acquiring such an operation history (hereinafter referred to as a “logging program”) is an operating system (hereinafter referred to as “OS” (Operating System)) kernel that is resident in the system as an application. A format that is resident in the system as a function of the OS by improving, a format that is resident in the system as a function of the OS without requiring improvement of the OS kernel, and a format in which the OS kernel permits insertion of a module by dynamic linking (for example, Linux (Registered trademark) kernel module).

Since the logging program is resident in the system regardless of whether it is an application or a function of the OS, a load is applied to the system and a memory leak is likely to occur. The logging program itself is usually an auxiliary function that operates in the background. However, it is desirable to avoid affecting the main work as much as possible.
Further, when a logging program is used as a function of the OS, if a problem occurs, the OS needs to be restarted. In the system, the OS cannot be restarted unplanned. In this case, the logging program is operated with a failure, and the operation history cannot be normally acquired. Furthermore, in an OS in which kernel version upgrades are frequently performed, when the OS kernel is improved to make the logging program a function of the OS, it is not supported by the OS vendor, which is not preferable in terms of system operation. Further, when the OS is upgraded, the user needs to reinstall the logging program, which increases the maintenance cost.

  Patent Document 1 discloses an information processing apparatus equipped with a logging program as an application. In the information processing apparatus disclosed in Patent Document 1, a logging program is activated by a user login and stopped by logoff. Therefore, the logging program does not reside in the system, and the load on the system is reduced. However, since the logging program is an application that is activated by the shell program when the user logs in, only the logging program can be stopped even during the activation of the shell program, which is ineffective for malicious users. .

Patent Document 2 discloses an information processing apparatus in which a logging program is resident in a system as a function of an OS. In the information processing apparatus disclosed in Patent Document 2, time is added to a message sent from the OS to the application, and this is recorded as an operation history. Therefore, by combining Patent Document 1 and Patent Document 2, it is possible to record the operation history by adding time.
However, even in this case, when the logging program is an application, the problem that only the logging program is stopped by a malicious user cannot be solved. There is a problem that you cannot receive support when there is a version upgrade.

JP 2000-354036 A JP 2007-172463 A

  It is an object of the present invention to provide a technique that can acquire an operation history such as a command input by a user without being a function of the OS, being not resident, and having no room for the user to maliciously operate the OS. Let it be the main issue.

The information processing apparatus of the present invention that solves the above-described problem is a monitoring that starts the monitoring target program as a subordinate process of the parent process that starts after the OS starts and before the monitoring target program that runs on the OS starts. Target program starting means; ID generating means for generating an ID for identifying a processing process by starting the monitoring target program; prompt generating means for generating a prompt including the ID when the monitoring target program is started; is subsequently command is input to the prompt, the command every time the monitored program is executed, the prompt, the command and holds the execution result of the command as a string, in the character string retained The command following the prompt including the ID is extracted by character string search from Extracted command and the execution result of the command comprising and an operation history management means for recording as an operation history of the Ruyu over THE that against the monitored program.

The information processing apparatus of the present invention is not a function of the OS and is not resident because each component operates after the OS is started. Furthermore, since the monitoring target program becomes a subordinate process of the parent process, it is possible to stop only the monitoring target program in the parent process, but the parent process continues to start. Therefore, the operation history management means can acquire the user's operation history for the monitored program regardless of whether the monitored program is started or stopped. In addition, there is no room for the user to perform malicious operations.
Note that the input command includes command input by a pointing device using GUI (Graphical User Interface) in addition to command input by text such as CUI (Character-based User Interface).

The operation history management means stores the prompt, the command, and the execution result of the command as a character string each time the command is input following the prompt, and the monitored program executes the command. , subsequent from the character string stored in the prompt containing the ID command extracted by the character string search, extracted command can be recorded as an operation history of the Ruyu over tHE that against the monitored program and Become. In such a configuration, only the command can be extracted as the operation history, and the command actually input by the user can be easily understood. In addition, it becomes easy to know which processing process the operation history is based on the ID included in the prompt.
The information processing apparatus of the present invention may further include time output means for outputting time information.
In this case, the operation history management means can acquire time information when the command is executed from the time output means, and record the acquired time information in association with the operation history. In such a configuration, the command input time is also left as a history, and a more detailed operation history can be obtained.
The information processing apparatus of the present invention may further include random number generation means for generating a random number. In this case, the prompt generation unit can generate the prompt using the random number generated by the random number generation unit as the ID. Since it is a random number, a different ID is included in the prompt each time the monitored program is started. By recording the random number, for example, it is possible to identify when the operation history is based on the activated monitoring target program.

The operation history acquisition method of the present invention is a method executed by an information processing apparatus that includes an OS and a monitoring target program that operates on the OS. The information processing apparatus identifies a stage in which the monitoring target program is started as a subordinate process of a parent process to be started after the OS is started and before the monitoring target program is started, and a processing process by the start of the monitoring target program Generating an ID for performing , a step of generating a prompt including the ID when the monitoring target program is started , a step of prompting a user to input a command, the command is input following the prompt, Each time the monitored program executes a command, the prompt, the command, and the execution result of the command are held as a character string, and the command following the prompt including the ID from the held character string is a character string. extracted with columns search, extracted command and execute the command And a step of recording the result as an operation history of the user with respect to the monitoring target program.

In the operation history acquisition method of the present invention, the parent process is started after the OS is started and before the monitoring target program is started. Therefore, the parent process is not a function of the OS and is not resident. Parent process, to start the monitored program as a subordinate process also stops the monitoring target program stops parent process. When the user tries to stop the parent process, the monitored program that is a subordinate process is also stopped, so there is no room for the user to perform malicious operations.

The computer program according to the present invention includes an OS and a computer device equipped with a monitoring target program operating on the OS as a subordinate process of a parent process that starts after the OS starts and before the monitoring target program starts. Monitoring target program starting means for starting the monitoring target program, ID generation means for generating an ID for identifying a processing process by starting the monitoring target program, and a prompt for generating a prompt including the ID when starting the monitoring target program generating means, the prompt followed by the command is input, the command every time the monitored program is executed, the prompt holds the execution result of the command and the command as a string, it is held Contains the ID from the string Subsequent to prompt command extracted by the character string search is extracted said command and a computer program to function the execution result of the command as a log manager, to record as an operation history of the Ruyu over THE that against the monitored program .

  According to the present invention, a monitoring target program is started as a subordinate program, and each time a command input is executed by the monitoring target program, the command and the execution result of the command are recorded as a user operation history for the monitoring target program. . Since these are performed after the OS is started, they are neither a function of the OS nor a resident type. Since the monitoring target program is executed as a subordinate process, it is not possible to stop the recording of the operation history while executing the monitoring target program. Therefore, malicious operation by the user can be prevented.

1 is an overall configuration diagram of a system including an information processing apparatus. It is a figure showing the functional block formed in a terminal device at the time of a login process. It is a flowchart of the process from the first login after OS starting to logout. It is explanatory drawing of the starting condition of each program at the time of a login process. FIG. 5A is an exemplary diagram of a screen of a display device on which only a prompt is displayed, and FIG. 5B is an exemplary diagram of a screen of the display device on which a command and an execution result are displayed, and FIG. ) Is an exemplary diagram showing a result of extracting only rows including random numbers from FIG. It is explanatory drawing of the starting condition of each conventional program. It is explanatory drawing of the starting condition of each program in case the logging program 13 is started twice. It is an illustration figure of the program mounted in the terminal device of 2nd Example. It is a functional block diagram formed in the terminal device of 2nd Example. It is a flowchart of the login process of 2nd Example. It is explanatory drawing of the starting condition of each program at the time of a login process in case each user before and after a user change is an acquisition subject of operation history. It is explanatory drawing of the starting condition of each program when a user requests | requires graphical login.

Embodiments of the present invention will be described below with reference to the drawings.
<First embodiment>
FIG. 1 is an overall configuration diagram of a system including an information processing apparatus to which the present invention is applied.
This system includes a plurality of terminal devices 1 and a server 2.
Each terminal device 1 is connected to the server 2 via the network N so as to be able to transmit and receive data. The network N may take any form such as a LAN (Local Area Network), a WAN (Wide Area Network), or a network using a public line.

  The server 2 holds data, programs, and the like used for processing in the terminal device 1, and provides these data, programs, and the like when accessed from the terminal device 1. For example, the server 2 holds a user management table 20 as illustrated. This user management table 20 is a table that is referred to when a user logs in to the terminal device 1, and is a login ID (IDentification) of all users, passwords, and whether or not the user is an operation history acquisition target. The target person information representing is recorded. A user whose target person information is “target” is an operation history acquisition target, and a user who is “non-target” is not an operation history acquisition target.

  The server 2 also acquires operation history files, which will be described later, from each terminal device 1 and stores them in a lump. The operation history file stored in the server 2 is analyzed by a system administrator as necessary, and it is possible to know what commands and the like are input by the user from each terminal device 1. The operation history file acquired from each terminal device 1 may be stored separately for each terminal device 1. In this way, it is possible to know who has input what command and the like by which terminal device 1. The server 2 may acquire operation history files sequentially from each terminal device 1 or may be temporarily stored in each terminal device 1 and collected periodically.

  The terminal device 1 is connected to an input device such as a keyboard and a mouse and a display device, and includes a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), a network card, and an input / output interface. It is an apparatus as an example of the information processing apparatus of the present invention provided. As illustrated in FIG. 1, the terminal device 1 includes an OS 10 and an application 11 that operates on the OS 10. In the example of FIG. 1, only the program used when the user logs in is described as the application 11, but other programs may be held. It is also possible to execute a program held in the server 2. In the example of this embodiment, the application 11 used at the time of user login includes an authentication program 12, a logging program 13, and a shell program 14 to be monitored in this embodiment. The authentication program 12 and the shell program 14 are applications that are also used in this type of conventional terminal device 1.

The authentication program 12 is an application for performing user authentication processing.
For example, the authentication process is performed by referring to the user management table 20 to determine whether or not the login ID and password input by the input device when the user logs in are valid. In the authentication process, it is also determined whether or not the user is an operation history acquisition target by referring to the target person information in the user management table 20. The conventional authentication program instructs the activation of the shell program 14 after authenticating the user by the authentication process. However, the authentication program 12 of this embodiment instructs the activation of the logging program 13 when the user is an operation history acquisition target, and activates the shell program 14 when the user is not an operation history acquisition target. Instruct.

  The logging program 13 is an application for creating an operation history file representing an operation history such as a command input by the user from the input device and storing the operation history file in a predetermined storage device. The logging program 13 generates an argument for starting the shell program 14. This argument is used when the logging program 13 instructs to start the shell program 14.

  The shell program 14 is an application that is also executed during a conventional login process. The shell program 14 interprets the command input by the user, executes the process, and returns the execution result. The shell program 14 displays a prompt indicating that it can accept commands. When the shell program 14 is activated using an argument generated by the logging program 13, this argument is included in at least a part of the prompt. When the shell program 14 is started without using an argument, a prompt set by the user is displayed. When the activation process is instructed by the authentication program 12, the processing process of the shell program 14 becomes a child process (subordinate process) whose parent process is the processing process by the activation of the authentication program 12, and the activation is instructed by the logging program 13. In other words, it becomes a subordinate process of the processing process by starting the logging program 13.

  In the present embodiment, an example of a server / client system as shown in FIG. 1 will be described. However, the present invention is not limited to the authentication program 12, the logging program 13, and the terminal device 1 even when the terminal device 1 is in a stand-alone state. Implementation is possible if the shell program 14 is provided. When the terminal device 1 is stand-alone, the user management table 20 is held by the terminal device 1.

FIG. 2 shows functional blocks formed in the terminal device 1 during the login process.
The terminal device 1 includes an input reception unit 31, a display control unit 32, a processing unit 33, a communication control unit 34, an authentication unit 35, a random number generation unit 36, a shell program activation unit 37, a time output unit 38, and an operation history management unit 39. An operation history recording unit 40 and a prompt generation unit 41 are formed.
In this embodiment, the authentication unit 35 is formed by executing the authentication program 12. The random number generator 36, the time output unit 38, the operation history management unit 39, and the operation history recording unit 40 are formed by executing the logging program 13. The processing unit 33 and the prompt generation unit 41 are formed by executing the shell program 14. The shell program activation unit 37 is formed by executing the authentication program 12 or the logging program 13. The input receiving unit 31, the display control unit 32, and the communication control unit 34 are formed by various drivers (not shown) when the OS 10 is activated. However, which functional block is formed by which program is not limited to this.

The input receiving unit 31 receives a command input from an input device.
The display control unit 32 displays a predetermined image on the display device. The display control unit 32 displays the command received by the input receiving unit 31 and the execution result thereof on the display device. The display control unit 32 displays a prompt on the display device when the terminal device 1 is in a state where it can accept an input such as a command from the input device.
When a command or the like is input, the display control device 32 displays the input command following the prompt. The command execution result is displayed in an area different from the prompt, for example, in a line where no prompt or command is displayed.
The processing unit 33 executes information processing according to the content of the command received by the input receiving unit 32. The execution result is sent to the display control unit 32 and displayed on the display device.

  The communication control unit 34 transmits / receives data to / from the server 2 via the network N. The communication control unit 34 receives data and programs necessary for processing from the server 2 or transmits an operation history file to the server 2. The operation history file is transmitted in response to a request from the server 2 or sequentially.

  The authentication unit 35 refers to the user management table 20 with the login ID and password received by the input reception unit 31, and performs user authentication processing including determination as to whether or not the user is an operation history acquisition target.

The random number generator 36 generates a random number before the shell program 14 is activated. For example, when a plurality of users log in to the same terminal device 1, one random number is generated for each user. Even for the same user, a different random number is generated each time the user logs in.
When formed by executing the logging program 13, the shell program activation unit 37 activates the shell program 14 using the random number generated by the random number generation unit 36 as an argument. When the shell program activation unit 37 is formed by executing the logging program 13, the processing process of the shell program 14 is a subordinate process whose parent process is the processing process due to the activation of the logging program 13. The shell program activation unit 37 activates the shell program 14 without using an argument when formed by executing the authentication program 12. When the shell program activation unit 37 is formed by executing the authentication program 12, the processing process of the shell program 14 is a subordinate process whose parent process is the processing process by activation of the authentication program 12.
As described above, the random number is generated each time the user logs in, even for the same user. That is, the argument at the time of starting the shell program 14 changes each time. Therefore, it is possible to identify a processing process by starting the shell program 14 by using an argument, that is, a random number.

  For example, the time output unit 38 acquires and outputs the current time measured by the OS 10 or the current time measured by the server 2. The current time may be measured by itself.

The operation history management unit 39 creates an operation history file representing the operation history of the user for the shell program 14 from the command and the execution result each time the command is input by the user and the command is executed by the shell program 14. Are recorded in the operation history recording unit 40. The operation history management unit 39 may use the command and its execution result as an operation history file as it is. For example, the operation history management unit 39 holds the prompt, the command, and the execution result of the command as a character string. An operation history file may be created by extraction using a search and an extracted command. As will be described later, the prompt includes the random number generated by the random number generator 36, and the command is extracted by, for example, extracting a line including the random number. For example, a line is extracted every time a command is input and the processing for the command is completed and displayed on the display device. The operation history management unit 39 acquires the current time from the time output unit 38 and adds the current time to the extracted line and records it. In such a configuration, the operation history is recorded every time a command is input, and the input time of each command can be easily understood. If, for example, a login ID is added to the operation history file, it is possible to know which user's operation history file.
In addition, since the random number included in the prompt is generated every time the user logs in, the random number when creating the operation history file changes each time. Therefore, the operation history file can be identified by a random number.

  The prompt generation unit 41 generates a prompt including an ID for identifying a processing process due to activation of the shell program 14. In this embodiment, a random number generated by the random number generator 36 is used as the ID. The prompt generation unit 41 is formed by starting the shell program 14, and can generate a prompt including the random number by using a random number as an argument for starting the shell program 14. It is desirable that the ID included in the prompt cannot be changed by the user.

In such a system, the terminal device 1 performs processing from user login to logout as follows.
FIG. 3 is a flowchart of processing from first login to logout after the OS 10 is started. FIG. 4 is an explanatory diagram of the activation status of each program during the login process. In FIG. 4, the line portion is when each program is waiting, and the rectangular portion is when each program is started. In the following description, when each program is on standby and when it is started, the same program start status is described.
First, when the OS 10 is activated in the terminal device 1, the user can input a login ID and a password from the input device. When these are input, the terminal device 1 accepts a user authentication request. When the authentication request is received, the authentication program 12 is activated to activate the function of the authentication unit 35, and an authentication process including determination as to whether or not the user is an operation history acquisition target is performed (step S10). If the user cannot be authenticated by the authentication process, the terminal device 1 displays that fact on the display device and prompts the user to input the login ID and password again.

When the user who has been authenticated by the authentication process is a person who is the acquisition target of the operation history, the logging program 13 is activated by the authentication program 12 (step S20: Y, step S30).
When the logging program 13 is activated, a time output unit 38, an operation history management unit 39, and an operation history recording unit 40 are formed, and acquisition of the user operation history is started. The logging program 13 continues to be activated until there is a logout request from the user. After the logging program 13 is activated, the terminal device 1 activates the shell program 14 by the shell program activation unit 37 using the random number generated by the random number generation unit 36 as an argument (step S40).

  If the user who has been authenticated by the authentication process is not an operation history acquisition target, the shell program 14 is started by the authentication program 12 (step S20: N, step S50).

  By starting the shell program 14, desired information processing can be performed by the terminal device 1. A prompt is displayed on the display device. When the shell program 14 is activated with a random number as an argument, the prompt includes the random number. When the shell program 14 is activated in step 20 when it is determined that the user is not an operation history acquisition target, the shell program 14 becomes a subordinate process whose parent process is the processing process resulting from the activation of the authentication program 12. . When the shell program 14 is activated after the logging program 13 is activated, the shell program 14 becomes a subordinate process whose parent process is the processing process resulting from the activation of the logging program 13.

  FIG. 5A is a diagram illustrating a screen example of the display device on which a prompt including a random number is displayed. “Efd98793472kojfa” is a random number. In this example, the prompt consists only of a random number, but for example, a user's login ID may be added thereto.

  When a command is input from the input device, the input receiving unit 31 receives the command, and the processing unit 33 performs processing according to the command. The commands received by the input receiving unit 31 are displayed side by side on the same line as the prompt. The execution result by the processing unit 33 is displayed on a line different from the prompt. FIG. 5B is a diagram showing a screen example of the display device on which such commands and execution results are displayed. “Ls” is the command, and “admin apps kernel service system” is the execution result. When the execution result is displayed, the prompt “[efd98793472kojfa] #” is displayed on the next line of the execution result.

The operation history management unit 39 holds prompts, commands, and command execution results as shown in FIG. 5B as character strings. Since the operation history management unit 39 is formed by the logging program 13 which is a parent process of the shell program 14, the operation history management unit 39 performs these operations before the display as shown in FIGS. You will get a string. Although all the character strings displayed in FIG. 5B may be recorded as the operation history in the operation history recording unit 40, in this embodiment, prompts and commands are extracted and recorded. For this purpose, the operation history management unit 39 extracts lines including random numbers. The operation history management unit 39 searches the character string for a random number from the character string for the prompt, the command, and the execution result of the command, and extracts the command following the prompt.
FIG. 5C is a diagram illustrating an example of a result of extracting a row including a random number from FIG. In the example of FIG. 5C, the current time acquired from the time output unit 38 is added to the head of the extracted line. “20080927112011” is the current time. Here, the extraction is performed in units of lines, but this is an example. For example, when there is an input of a command extending over two lines, the operation history is acquired by extracting all the commands following the prompt.

  Thus, the terminal device 1 can record the command input from the input device together with the current time in the operation history file. Conventionally, when an operation history is acquired by an application like the logging program 13 of the present embodiment, it is difficult to record only commands and acquire the current time. For this reason, all commands have to be recorded together with the execution results as an operation history file. On the other hand, since only commands can be recorded in this embodiment, the size of the operation history file can be made smaller than before. Here, the command only means all character strings excluding the execution result. Even when the input to the terminal device 1 includes a character string other than the command, it corresponds only to the command mentioned here.

When logging out, the user inputs a logout request through the input device. When there is a logout request, the terminal device 1 first stops the shell program 14 (step S60), and then stops the logging program 13 (step S70).
If the user authenticated by the authentication process is not the person who is the acquisition target of the operation history, the terminal device 1 stops the shell program 14 when a logout request is made after the shell program 14 is started in step S50 (step S50). S80).
As described above, the logout process ends. When stopping the OS 10, a shutdown command is input to the terminal device 1 by the input device (step S90).

FIG. 6 is an explanatory diagram of the activation status of each conventional program. Conventionally, the shell program 14 is started after the authentication program 12 performs the authentication process. The logging program 13 is activated immediately after activation of the OS 10 and before activation of the authentication program 12 (pattern 1) or after activation of the shell program 14 (pattern 2).
The conventional logging program 13 resides in the system in the case of pattern 1 and has already acquired a command when a user authentication is requested. Therefore, problems such as memory leaks are likely to occur. On the other hand, the logging program 13 of this embodiment is started after the user authentication process. In other words, since it is not resident, problems such as conventional memory leaks are less likely to occur.
Further, in the case of the pattern 2 in the conventional logging program 13, a situation in which only the logging program 13 is stopped while the shell program 14 is activated as in Patent Document 1 occurs. On the other hand, the logging program 13 of this embodiment is started before the shell program 14 is started, and when the logging program 13 is stopped, the shell program 14 is stopped before that. Therefore, only the logging program 13 does not stop. Thus, by starting the logging program 13 before the shell program 14, it is possible to avoid a situation in which the history of commands cannot be acquired as in the prior art while the shell program 14 is running.
Since the logging program 13 is not a function of the OS 10 but is installed in the terminal device 1 as the application 11, it is not affected by the upgrade of the OS 10. Further, even when the operation of the logging program 13 becomes defective, it is not necessary to shut down the OS 10.

<Second embodiment>
In the terminal device 1 according to the first embodiment, the user may be changed after the login process. In this case, if the user who has already logged in is not the operation history acquisition target, the login process is performed by performing the process shown in FIG. 3 on the changed user. Further, even when the user who has already logged in is the operation history acquisition target, if the changed user is not the operation history acquisition target, the process shown in FIG. 3 is performed on the changed user. Thus, login processing is possible.
However, if the user who has already logged in is the operation history acquisition target and the changed user is also the operation history acquisition target, the logging program 13 is activated twice when the processing shown in FIG. 3 is performed. Is done. For example, as shown in the explanatory diagram of the activation status of each program shown in FIG. 7, the logging program 13 is activated twice. If the logging program 13 is activated twice, the operation history cannot be acquired normally.

In the terminal device 1 ′ of the second embodiment, as shown in FIG. 8, a logging activation program 15 is installed in the application 11 as the application 11, in addition to the programs shown in the first embodiment. The logging activation program 15 prevents the logging program 13 from being activated twice.
The logging activation program 15 searches for the parent process of the processing process by its own activation, and checks whether there is a processing process (hereinafter referred to as “logging process”) by the activation of the logging program 13 in the parent process (hereinafter “logging process”). This is an application for “situation determination processing”. When there is a logging process in the parent process, since the logging program 13 has already been started, there is no need to start the logging program 13 further. For this purpose, the logging activation program 15 instructs the activation of the shell program 14. If there is no logging process in the parent process, the logging program 13 has not been activated yet, so the logging program 15 instructs the logging program 13 to be activated. The logging activation program 15 is activated when the authentication program 12 determines that the user is an operation history acquisition target.
The shell program 14 is used not only at the time of login but also in various situations due to the specifications of the OS 10. Therefore, the logging activation program 15 needs to behave in the same manner as the sequential shell program 14 in consideration of all these situations. For this purpose, the logging activation program 15 emulates the shell program 14.

FIG. 9 is a functional block diagram formed in the terminal device 1 ′ of the second embodiment. The functional block of the terminal device 1 ′ of the second embodiment has a configuration in which a situation determination unit 42 is added to the functional block of the first embodiment, and there are no other changes. The same function blocks are given the same reference numerals, and their functions are also the same.
The situation determination unit 42 performs situation determination processing. In the second embodiment, the shell program activation unit 37 is formed by executing the logging activation program 15 or by executing the logging program 13.

In such a terminal device 1 ′ of the second embodiment, the login process is performed as follows. FIG. 10 is a flowchart of the login process. FIG. 11 is an explanatory diagram of the activation status of each program at the time of login processing when each user before and after the user change is an operation history acquisition target.
At the time of the first user login, if there is a user authentication request, the terminal device 1 ′ performs an authentication process (step S201), and determines whether or not the authenticated user is an operation history acquisition target (step S202). . If the person is not an operation history acquisition target, the authentication program 15 starts the shell program 14 (step S202: N, step S204).

  If the authenticated user is a person who is the acquisition target of the operation history, the logging activation program 15 is activated by the authentication program 12 (step S202: Y, step S203, logging activation program (1) 15 in FIG. 11). The status determination process using the status determination unit 42 is performed by the logging activation program (1) 15 (step S205). Here, since it is the first user login process and the parent process has only the process by the authentication program 12, the logging program 13 is started as it is (step S205: none, step S206). When the logging program 13 is started, acquisition of an operation history of the first user is started. After the logging program 13 is activated, the terminal device 1 ′ activates the shell program 14 by the shell program activation unit 37 using the random number generated by the random number generation unit 36 as an argument (step S208, shell program (1) 14 in FIG. 11). .

  Next, a login process when a user is changed after the first user logs in will be described. It is assumed that the first user is an operation history acquisition target and the logging program 13 has already been started.

  When there is a user change request, the terminal device 1 ′ performs an authentication process for the user to be changed (step S <b> 201), and determines whether or not the authenticated user is an operation history acquisition target (step S <b> 202). If the person is not an operation history acquisition target, the authentication program 15 starts the shell program 14 (step S202: N, step S204).

If the authenticated user is a person who is the acquisition target of the operation history, the logging activation program 15 is activated by the authentication program 12 (step S202: Y, step S203, logging activation program (2) 15 in FIG. 11). A status determination process using the status determination unit 42 is performed by the logging activation program (2) 15 (step S205). Here, the change is a user, and since the first user is an operation history acquisition target, the parent process includes a logging process. For this purpose, the logging program (2) 15 activates the shell program 14 using the shell program activation unit 37 (step S205: Yes, S207, shell program (2) 14 in FIG. 11).
Since the logging program 13 monitors the shell program (1) 14 that is started first, the changed user's shell program (2) 14 that is a grandchild process of the shell program (1) 14 that is started first is displayed. Can be monitored.
In this way, it is possible to prevent the logging program 13 from being activated twice. In such processing, the processing process by the shell program 14 activated in step S204 is a subordinate process of the processing process by activation of the authentication program 12, and the processing process by the shell program 14 activated in step S207 is the logging activation program 15. The processing process by the shell program 14 activated in step S208 is a subordinate process of the logging process.

<Third embodiment>
The first and second embodiments assume console login. Here, the console login refers to a so-called CUI login in which a text command input screen (called a console, a terminal, or a command prompt) is prepared as an interface for a user to give an instruction to the OS 10.
In recent years, GUI has become mainstream rather than CUI. The user may select a GUI as an interface for giving a command to the OS 10. In this case, before the shell program 14 is activated, it is necessary to activate various programs such as an initialization program of a window manager (GNOME or the like) that controls the GUI screen.
In the first embodiment, when the user requests a graphical login, the logging program 13 needs to prepare the GUI. Normally, a GUI is prepared by a window manager, which requires a very large amount of code. Therefore, it is unrealistic for the logging program 13 to act as a window manager.

Therefore, in the third embodiment, the authentication program 12 starts the logging activation program 15 and the logging activation program 15 has the same configuration as the second embodiment in which the logging program 13 is activated.
FIG. 12 is an explanatory diagram of the activation status of each program when the user requests a graphical login.
When the operation history acquisition target requests a graphical login, the authentication program 12 starts the logging start program 15. The logging activation program 15 activates the logging program 13 after activating various programs (GUI related program 16) necessary for the GUI. The logging program 13 activates the shell program 14 and cooperates with the activated GUI environment.
In this case, the logging program 13 may further include a function of detecting a specific operation (such as a mouse click) on the GUI as well as the command and its execution result, and acquiring an image obtained by capturing the screen as an operation history.

  In this way, the authentication program 12 does not directly start the logging program 13, but once the logging start program 15 is started, so that an SFTP login request (TTY is not assigned, so operation based on child process monitoring) The history command cannot be executed), and the less command is executed in the shell program 14 that is acquiring the operation history (the less command restarts the shell program according to the user information management table, so the logging program 13 is started twice. The normal operation of the logging program 13 can be ensured by dealing with various usage situations.

  DESCRIPTION OF SYMBOLS 1, 1 '... Terminal device, 10 ... OS, 11 ... Application, 12 ... Authentication program, 13 ... Logging program, 14 ... Shell program, 15 ... Logging start program, 16 ... GUI related program, 2 ... Server, 20 ... User Management table 31... Input receiving unit 32... Display control unit 33. Processing unit 34 .. communication control unit 35 .. authentication unit 36 .. random number generation unit 37. 39 ... Operation history management unit, 40 ... Operation history recording unit, 41 ... Prompt generation unit, 42 ... Situation determination unit

Claims (5)

Monitoring target program starting means for starting the monitoring target program as a subordinate process of the parent process that starts after the OS starts and before the monitoring target program operating on the OS starts;
ID generating means for generating an ID for identifying a processing process by starting the monitoring target program;
Prompt generation means for generating a prompt including the ID when starting the monitoring target program;
The prompt followed by the command is input, the command every time the monitored program is executed, the prompt, the command and holds the execution result of the command as a string, the character string retained an operation history management means following a prompt command extracted by the character string search, recording the extracted command and the execution result of the command as an operation history of the Ruyu over tHE that against the monitoring target program including the ID from within, made with a,
Information processing device. A time output means for outputting time information;
The operation history management means acquires time information when the command is executed from the time output means, and records the acquired time information in association with the operation history.
The information processing apparatus according to claim 1 . Equipped with random number generating means for generating random numbers,
The prompt generation means generates the prompt using the random number generated by the random number generation means as the ID.
The information processing apparatus according to claim 1 or 2 . An information processing apparatus that includes an OS and a monitoring target program that runs on the OS.
Starting the monitoring target program as a subordinate process of a parent process to be started after the OS is started and before the monitoring target program is started;
Generating an ID for identifying a processing process by activation of the monitoring target program;
Generating a prompt including the ID when starting the monitoring target program;
Prompting the user to enter a command;
Each time the command is input following the prompt and the monitored program executes the command, the prompt, the command, and the execution result of the command are held as a character string, and the stored character string A command that follows the prompt including the ID is extracted by a character string search, and the execution result of the extracted command and the command is recorded as the operation history of the user with respect to the monitoring target program.
Operation history acquisition method. A computer device equipped with an OS and a monitoring target program that runs on the OS,
Monitoring target program starting means for starting the monitoring target program as a subordinate process of a parent process that starts after the OS starts and before the monitoring target program starts;
ID generating means for generating an ID for identifying a processing process by starting the monitoring target program;
Prompt generation means for generating a prompt including the ID when starting the monitoring target program;
The prompt followed by the command is input, the command every time the monitored program is executed, the prompt, the command and holds the execution result of the command as a string, the character string retained operation history management means following a prompt command extracted by the character string search, recording the extracted command and the execution result of the command as an operation history of the Ruyu over tHE that against the monitoring target program including the ID from within,
A computer program that functions as a computer program.

Images