KR100396308B1 - Linux System and Operating Method of the Linux System having improved access control function - Google Patents

Abstract

The present invention relates to a Linux system and an operating method of the Linux system with improved access control.

In the Linux system according to the present invention, each host can set access rules to system resources for each process, but has a function of determining whether to allow access to system resources according to the set access rules. It is equipped with Linux OS. Each of these hosts works with a log server, which stores the log information sent from each host, and allows you to retrieve log information from a manager server that works with it according to a predefined rule. In addition, each host and log server interwork with an administrator server, which sets access rules for each host and retrieves log information in the log server.

Using the present invention, an access control function can be enhanced and an operating system specialized for the purpose of the system can be configured. That is, it is possible to set up a security environment for each purpose, such as dedicated web server or dedicated file server.

Description

Linux system and operating method of the Linux system having improved access control function

The present invention relates to a Linux system and a method of operating the Linux system with improved access control. In particular, even if a hacker succeeds in introducing the system by introducing the concept of super user authority distribution and rule-based access control (MAC), It's about Linux systems and how they operate that can block hackers' ultimate actions.

As the role of the Internet is expanded from intranet and electronic commerce to simple information sharing, the interest and importance of hacking and information protection are increasing. The incidence of hacking has resulted in invasion of privacy, loss of property, loss of corporate image, leakage of confidential information, and discontinuance of services, and the magnitude of the damage is increasing rapidly. Especially in the case of companies, the question of whether or not to prevent hacking is directly related to the survival of the company.

In general, UNIX operating systems use identity-based access control (DAC) as an access control method. In addition, the Trusted Computer System Evaluation Criteria (TCSEC) defines the same concept as the DAC as an identity-based access control policy. In other words, the DAC defines a method of restricting access to an object based on the identity of a subject or a group to which they belong.

The biggest security problem in this identity-based access control (DAC) scheme is that the superuser privileges are not distributed and are too powerful. In other words, if you are a superuser, you can configure all of the system configuration and kill all processes. Thus, if a hacker takes advantage of a vulnerability to become a superuser, he can do everything a superuser can do.

The problems with the Unix operating system currently using identity-based access control (DAC) are as follows.

1. Superuser (root) abuse is possible.

2. Many system files can be changed easily.

3. Modules can easily be used to intercept the kernel.

4. Kernel modularization of the kernel as the size of the kernel and the support functions increase, and after the module is inserted into the kernel, it becomes part of the kernel and performs work. As a result, malicious code can cause serious problems.

5. The process is not protected.

Meanwhile, MAC (Mandatory Access Control) is an access control method that is mainly discussed along with ID-based access control (DAC). In TCSEC, MAC is defined with the same concept as rule-based access control policy. That is, MAC is a method of restricting access to an object based on the confidentiality of information included in the object (a permission level expressed by a label) and the subject's authority to access information of such confidentiality.

The present invention has been devised to solve the above problems, and provides a Linux system and a method of operating the security of which are enhanced by introducing the concept of super user authority distribution and rule-based access control (MAC). There is this.

Linux system according to the present invention to achieve the above object,

It is possible to set an access rule to a system resource for each process, and when the process tries to access a specific resource, it is determined whether the access rule is satisfied, and if the access rule is satisfied, the resource If the access rule is allowed, but the access rule is not satisfied, the Linux operating system (LINUX OS: Operating System) is configured to block access to the resource and notify the log server of the log information. One or more hosts; A log server for storing log information transmitted from each host in association with each host, and retrieving the stored log information according to a predetermined rule from an administrator server interworking with the host; And an administrator server for setting the access rule in association with each host and retrieving the log information in association with the log server.

The access rule is managed through a capability file that records the capabilities granted to the kernel itself, and an access control list (ACL) file that records the access rules granted to each process. It can be implemented preferably.

The operating system loads the contents of the access control list file into a memory at the time of booting, and if the contents of the access control list file are changed after booting, reflects them in the memory and uses the contents of the capability file. It is preferable to configure the content file to read and use the capability relay file, which retains the contents of the capability file as it is, but which performs the function of distinguishing the contents from when the contents are transferred to the kernel and when the contents are changed.

The operating system determines whether the access rule is satisfied through the access control list information or the capability relay file loaded in the memory when the process attempts to access a specific resource. A kernel that allows access to the resource but fails to satisfy the access rule, and blocks access to the resource and notifies log information about the resource to a log server; Interface means with the manager server; And access rule updating means for allowing the manager server to change the access control list file or the capability file through the interface means.

The function of the kernel can be implemented more preferably by implementing to implement at the source code level.

The interface means may be preferably implemented by including one or more of a command line interface (CLI) and a web user interface (Web GUI).

The access control list file preferably configures a category as information about each process name, an object that each process is to access, and an access type for the object.

In this case, the object is a file / directory or capability, and the access type is read / write prohibited, read only, append only, and writable for the file / directory. ) And one of the inheritance (INHERIT) and the discontinuity (NO_INHERIT) can be preferably implemented.

The operating system is further configured to further include an alarm transmission means for receiving log information that does not satisfy the access rule from the kernel and transmitting the log information to the administrator server through an e-mail. It can be carried out.

On the other hand, the operating system is preferably configured to further include a security function of the process itself. That is, if the capability of a particular process is a capability indicating un-killable, the function may ignore an attempt to stop the process; When the capability of a specific process is a capability indicating hiding, a function not indicating a corresponding process while performing a display function of a process list; And when the capability of a specific process is a capability that implies a module insertion restriction, it may be configured to include one or more functions of ignoring when attempting to insert a module into the kernel.

In addition, the operating system may be preferably configured to further include a network security processing means for performing a function of inspecting the data packet transmitted and received from the host to pass only if the packet is allowed to pass.

The network security processing means receives a rule regarding the passage of the data packet from the administrator server through a command line interface (CLI) or a web graphical user interface (Web GUI), and the rule is recorded and managed in a separate file. It is preferable to configure so that.

The operating system may further include a function of creating a list and transmitting the list to the log server when a connection attempt to an unopened port of the host for a predetermined time exceeds a predetermined number. It can implement preferably.

The log server is configured to interwork with the management server through a web graphical user interface (Web GUI), and in searching log information stored therein, the search is performed using one or more search options of AND, NOT, and OR. It can be preferably implemented by configuring to include a function that allows.

According to the present invention, an operating method for enhancing the access control function of the Linux system includes: a first procedure for setting an access rule for each process; A second procedure for investigating whether there is a process for accessing a system resource; if the process finds that there is a process for accessing the resource, the process may be referred to the process by referring to the access rule. A third procedure of determining whether it is allowed; A fourth procedure for allowing the process to access the resource if access is granted as a result of the determination in the third procedure; And a fifth procedure of stopping the operation of the process and recording log information thereof when access is not permitted as a result of the determination in the third procedure. This procedure is performed by the Linux operating system on each host.

The access rule set in the first procedure may include a capability file that records the capability granted to the kernel itself, and an access control list that records the access rules granted to each process. List) file is preferably configured.

The access rule is configured to be set from another computer system (administrator server), but the interface with the manager server is configured through a command line interface (CLI) or a web traffic user interface (Web GUI). Can be.

In this case, the third procedure may include: determining whether a process to access system resources is a process of the kernel itself or an individual process; Determining whether the access rule recorded in the capability relay file is satisfied in the case of a process of the kernel itself; And in the case of a separate process as a result of the determination, determining whether the access rule specified in the access control list information loaded in the memory is satisfied.

As described above, the access control list file is preferably configured to include each process name, an object that each process is to access, and access type information about the object.

Here, the object is a file / directory or a capability, and the access type is read / write prohibited, read only, append only, and writable for the file / directory. The capability may be configured to be one of inheritance (INHERIT) and discontinuity (NO_INHERIT).

The fifth procedure may be preferably implemented by additionally providing a procedure for transmitting log information that does not satisfy the access rule to an administrator server through an e-mail.

On the other hand, the operating method of the Linux system can be more preferably implemented to further include a network security procedure.

This network security procedure comprises the steps of: setting a pass rule of a data packet; Examining whether there is a data packet being transmitted or received; Determining whether to pass the data packet transmitted or received with reference to the set rule as a result of the investigation; And passing the data packet in the direction if the pass is permitted, but dropping the data packet in the direction, otherwise dropping the data packet.

The network security procedure may also include examining whether there is a connection attempt to a port that is not open; Determining whether the connection attempt exceeds a predetermined number of times for a predetermined time when there is a connection attempt as a result of the investigation; And if it is determined that the number is exceeded, it may be configured to further include the step of notifying it to the prescribed log server can be carried out more preferably.

1 is a configuration diagram of an embodiment of a Linux system according to the present invention;

2 is a flowchart of an embodiment of an operation of a Linux operating system according to the present invention;

3 is a flowchart of an embodiment of the operation of a log server;

4 is a flowchart of an embodiment of the operation of a manager server;

5 is a detailed detailed configuration diagram of a Linux system according to the present invention;

6 is an example of capability;

7 is a configuration example of a category of an access control list (ACL) file;

8 is a configuration example of an access control list (ACL) file;

9 is a flowchart illustrating an embodiment of a process of applying an access rule;

10 is a flowchart of a first embodiment related to a process security function;

11 is a flowchart of a second embodiment related to a process security function;

12 is a flowchart of a third embodiment of a process security function;

13 is a flowchart of a first embodiment related to a network security function;

14 is a flowchart of a second embodiment related to a network security function;

15 is an embodiment of a configuration of a log server;

16 illustrates an embodiment of a GUI configuration of a log server.

* Description of the main symbols in the drawings

10-1 to 10-3: Host 11: Linux Operating System

12: Kernel 12-1: Process

12-2: access rule check means 12-3: access control list (memory)

12-4: Access Control List File 12-5: Capability Relay File

12-6: Capability File 12-7: Log Processing Means

13: Access rule update means 14-1: CLI processing means

14-2: Web GUI means 15: Network security processing means

16: alarm transmission means 20: log server

21: Web GUI means 22-1: Receive IP list file

22-2: Initialization means 22-3: Log receiving means

22-4: log filter means 22-5: log storage means

22-6: Log Table 30: Manager Server

Hereinafter, with reference to the accompanying drawings will be described in detail the present invention.

1 is a configuration diagram of an embodiment of a Linux system according to the present invention, wherein at least one host 10-1 to 10-3 and a log server 20 interworking with each host 10-1 to 10-3 are provided. ) And the manager server 30, the manager server 30 and the log server 20 also interlock with each other. Each host 10-1 to 10-3 is equipped with a Linux operating system (OS) according to the present invention. Hereinafter, the "Linux operating system" is used to mean an operating system designed to perform a function according to the present invention.

Referring to Figure 2 will be described in detail the function of the Linux operating system.

First, the Linux operating system allows to set an access rule to access the system resources (S210). If there is a process that attempts to access a resource while investigating which process is trying to access a specific system resource (S211), it searches for the set access rule to determine whether access to the resource is permitted. Determine (S212). As a result of this determination, if access is allowed, access to the resource is allowed (S214) and the process is continued to be performed (S215). However, if the access is not allowed, the access to the resource is blocked and the process is stopped (S216), and log (LOG) information related thereto is transmitted to the log server 20 (S217).

Referring to FIG. 3, the function of the log server 20 will be described. The log server 20 waits for receiving log information from each host 10-1 to 10-3 and stores the log information in a database. (S310, S311). In addition, if there is a log information search request from the manager server 30 (s312), the log server 20 searches the database (S313) and provides the manager server 30 (S314).

On the other hand, the administrator server 30 is a role to set the access rules to be used by each host (10-1 to 10-3) and abnormal access occurred in each host (10-1 to 10-3) through the log server 20 Retrieve information.

Referring to FIG. 4, when the administrator server 30 wants to change an access rule of each host 10-1 to 10-3 (S410), the manager server 30 accesses the corresponding host (eg, 10-1) (S411). The access rule is changed (S413), and the changed contents are stored in the host 10-1 (S413). In addition, when the search of the log information is required (S420), the manager server 30 accesses the log server 20 (S421) and requests to search for necessary log information (S422), and the log server 20 The requested log information is retrieved (S423) and transmitted to the manager server 30 (S424).

5 is a detailed configuration diagram of a preferred embodiment of a Linux system according to the present invention, with reference to this will be described in more detail the present invention.

The Linux operating system 11 mounted on each of the hosts 10-1 to 10-3 includes a kernel 12, an access rule updating means 13, interface means 14-1 and 14-2 with an administrator server, and a network. Security processing means 15, alarm transmission means 16 and the like.

Here, in addition to the basic functions of the Linux system, the kernel 12 may have access control list (ACL) information 12-3 or capper loaded in memory when the process 12-1 tries to access a specific resource. It is determined whether the access rule is satisfied through the capability information of the capability relay file 12-5. If the access rule is satisfied, access to the resource is allowed. If the access rule is not satisfied, the access to the resource is blocked and the log server 20 is notified of the log information. It is an integral part of the UNIX operating system it runs. This determination is made by the access rule checking means 12-2.

In addition, the access rule inspecting means 12-2 transmits information about an abnormal access attempt that does not satisfy the access rule to the log processing means 12-7 to transmit it to the log server 20. At this time, in order to more quickly grasp the state of the host, the log processing means 12-7 of the kernel 12 sends the abnormal access information to the alarm transmission means 16, so that the alarm transmission means 16 email ( e-mail) to notify the administrator server (30). Information related to the sending of the e-mail is recorded in the alarm related information file 16-1.

An example of the configuration of the alarm related information file 16-1 is shown in Table 1 below.

MAIL_SWITCH = 1 # MAIL_REPLAY = hex IP: portMAIL_RELAY = 210.73.88.149: 25 # MAIL_SOURCE = source machine: MAIL_SOURCE = pandora.domain_name.com

That is, if the MAIL_SWITCH value is set to 1, the contents of the security alert are sent by e-mail to the address according to the setting contents. In the above example, the address and port number of the server to which mail will be delivered are 210.73.88.149 and 25, respectively. MAIL_SORUECE specifies the information used to identify the host.

In this case, the function of the kernel 12 described above is preferably configured to be implemented at the source code level.

The interface means with the manager server is a component for the interface between the Linux operating system 11 of the host 10-1 and the manager server 30, and is composed of a command line interface (CLI) and a web graphical user interface (Web GUI). It is desirable to lose. At this time, the command line interface is provided by the CLI processing means 14-1, and the web graphic user interface is provided by the Web GUI processing means 14-2.

Here, the command line interface (CLI) refers to a function for allowing an administrator to set and confirm a desired access control rule in a terminal. In addition, for the Web GUI, the host 10-1 and the log server 20 are a web server, a CGI (Common Gateway Interface) for processing the contents of setting access rules or log server search contents input by a user. I have programs. Through the interface means 14-1 and 14-2, the administrator server 30 can set an access rule at each host 10-1 to 10-3, and the access rule is an access rule update means 13. Is passed to the kernel 12).

On the other hand, the most important point of the present invention is an access rule for determining whether to allow resource access to each process, this access rule will be described in detail.

An access rule can be divided into an access rule to be given to the kernel itself and an access rule to an individual process. The access rules granted to the kernel itself are marked as capabilities and recorded in the capability file 12-6, and the access rules granted to individual processes are stored in the Access Control List (ACL) file (12-). It is desirable to manage through 4).

Here, "capability" starts from "POSIX draft 1003.1e" and is basically for dividing the authority of the super user. An example of the capacities available in the Linux operating system is shown in FIG. 6. As described below, this capability is used as an access rule applied throughout the kernel, and also as an object in the access rule for an individual process.

As a capability registration in the capability file, it is possible to limit the privileges granted to superusers throughout the kernel.

For example, if you remove the CAP_SYS_ADMIN capability from the capabilities file, super users will not be able to use the CAP_SYS_ADMIN capability. This means that even the superuser will not be able to change the system's domain name or host name. As another example, if the CAP_NET_BIND_SERVICE capability is removed, super users will not be able to run network daemons that use ports below 1024.

In addition to the access rules granted throughout the kernel, access rules may be set for each process. As described above, the access rules of individual processes are stored and managed in an access control list (ACL) file 12-4.

7 is a configuration example of a category of an access control list (ACL) file, and the access control list file 12-4 includes each process name, an object that each process is to access, and an access to the object. It is preferable to configure to include information about the Access Type.

Here, the object is a file / directory or a capability. In addition, as shown in Table 2 below, the access type can be one of read / write prohibited, READ, APPEND, and WRITE for a file / directory. For the capability, one may be one of inheritance (INHERIT) and disinheritance (NO_INHERIT).

Object type Access type Contents file / directory DENY No read or edit READ Do not modify APPEND Add only, do not delete or modify previous contents WRITE Can also write capability INHERIT This capability is also granted to processes that are run by the subject process. NO_INHERIT This capability is not granted to processes executed by the subject process.

The contents of Table 2 will be described in detail.

DENY: An access type applied when an object is a file or directory, so that no one can read or modify the object. Applicable to important system files and the like, a setting example using the CLI processing means 14-1 is as follows. Herein, it is assumed that #pandoradm means a driving command of the CLI processing unit 14-1.

#pandoradm -A -o / etc / shadow -j DENY

The CLI processing means 14-1 can be preferably implemented by enabling the setting of options such as the example shown in Table 3 below.

-A: Notifies the access control rule is added -s: Notifies the subject is continued -o: Notifies the object is continued -j: Notifies the access type is continued

READ: An access type applied when an object is a file or a directory. Nobody can modify the object. It can be used to prevent important system executable files from being modified by Trojan horses. An example of setting using the CLI processing means 14-1 is as follows.

#pandoradm -A -o / sbin / -j READ

WRITE: An access type that is applied when an object is a file or a directory, so that the object can be modified. Access to objects whose access rules are not specified in the access control list (ACL) follows the existing identity-based access control (DAC) access control. Therefore, it is not necessary to allow the WRITE access type for objects for which DENY, READ, and APPEND are not set in advance. WRITE is for enabling WRITE on a specific subject, that is, an object whose process is set to DENY, READ, and APPNED. This is mainly used for objects accessed by a particular application process for execution. An example of setting using the CLI processing means 14-1 is as follows.

#pandoradm -A -o / var / log / wtmp -j DENY

APPEND: An access type applied when an object is a file or directory, so that no one can add to the object. Writing is done frequently, but will be available if the content needs to be preserved. Log files are an important application. An example of setting using the CLI processing means 14-1 is as follows.

#pandoradm -A -o / var / log / messages -j APPEND

INHERIT / NO_INHERIT: Access type that can be used when an object is a capability.Set whether or not the capability granted to the subject is inherited to the program executed by the subject. do. If a process executes another process for execution, and the executed process also needs its capabilities, it is set to INHERIT, otherwise it is set to NO_INHERIT. In consideration of safety, it is preferable to set to NO_INHERIT when capability inheritance is not required.

8 shows an example of the structure of an access control list (ACL) file.

Here, the meaning of the capacities granted to each process will be described in more detail.

There are many cases where certain capabilities are required for a process to run. For example, to run the web server, TCP port 80 must be used, so the CAP_NET_BIND_SERVICE capability is required.

By the way, since the super user has the CAP_NET_BIND_SERVICE capability, only the super user could run the web server on port 80. However, the CAP_NET_BIND_SERVICE capability is not limited to port 80 used by the web server, but is a capability that enables binding of all ports below 1024. Therefore, a hacker who hacked a super user account could run other dangerous daemon programs.

As a workaround, if you individually assign CAP_NET_BIND_SERVICE capability to the http daemon process, even if a hacker gains superuser privileges, what you can do with the CAP_NET_BIND_SERVICE capability is limited to running a web server. In other words, by granting only the capabilities necessary for running the processes for each process, it is possible to limit the authority that a hacker can have at the time of hacking to a minimum.

FIG. 9 is a flowchart of an embodiment of a process of reflecting an access rule, and how the Linux operating system 11 reflects the set access rule will be described in more detail with reference to the flowchart.

When the host 10-1 is booted (S510), the Linux operating system 11 loads and uses the contents of the access control list file 12-4 into the memory 12-3 (S511). In addition, when the access rule for an individual process is changed through the manager server 30, the change is stored in the access control list file 12-4 (S512), and the access control list in the memory area 12-3. It is reflected in the information (S513).

If the capability change of the kernel itself through the manager server 30 is made, the capability file 12-6 is changed (S514), and the change of this file changes the contents of the capability file 12-6. It is retained as it is, but is reflected in the capability relay file (eg, / proc / sys / pandora / locks) that performs a function of distinguishing when the contents are transferred to the kernel 12 and when the contents are changed (S515).

That is, the change of access rules for individual external processes and the capability of the kernel itself are made in the access control list file 12-4 and the capability file 12-6, respectively. The reflection is made through the memory area 12-3 and the capability relay file 12-5, respectively.

In addition, the kernel 12 once allocates a predetermined default capability to the newly created process after the booting is finished. Of course, the basically assigned capabilities may be changed by the manager server 30.

The basic capability granted at process creation is basically the capability provided by access control based on the identity-based access control (DAC) of the general Unix operating system, and basically allowed by the Unix operating system according to the present invention. It means the common ones of the capabilities.

For example, the CAP_NET_BIND_SERVICE capability is a capability that enables a service by opening a TCP / UDP port of 1024 or less. This capability is only available to superusers on ordinary Unixes. If the Linux operating system restricts this capability by default, super users will not be able to bind to ports below 1024. However, even if the Linux operating system allows the default setting for this capability, ordinary users cannot bind to ports below 1024. This is because the access control list (ACL) information defines whether or not the process's file or capability is allowed.

On the other hand, the Linux operating system according to the present invention can be implemented more preferably by providing a security function of the process itself, the preferred embodiment provides three functions of creating an Un-Killable process, hiding a process, restriction of kernel module insertion .

First, the ability to create an Un-Killable process is designed to disable the execution of important processes. Even if a hacker obtains the super user's authority, it prevents the critical process from being interrupted and prevents a service interruption.

Referring to FIG. 10, the kernel 12 performs a kill attempt for a specific process (S611), and checks the capability of the process (S612) to enable killing. Only if it is set (S613) to kill the process (S614). Otherwise, block kill attempts.

The process hiding feature prevents a particular process from running even if you run the ps command. It is also used to hide the operation of a specific process, such as an intrusion detection system, and can be used to prevent hackers from killing a process by not knowing the process ID.

Referring to FIG. 11 to specifically describe the process hiding function, if there is a ps request for a particular process (S621), the process checks the capability of this process (S622), if not set to hide Only (S623), the process is displayed (S624). Otherwise it does not display.

In addition, kernel modularization is widely used for the effective operation of various and complicated kernel functions. There is a possibility that malicious code is hidden in this module. Kernel module insertion restriction refers to the function that prevents the module from being inserted into the kernel.

To describe the kernel module insertion restriction function in detail with reference to FIG. 12, if the kernel 12 attempts to insert a kernel of a specific module (S631), the capability of the process is checked (S632), so that the module can be inserted. If it is (S633), the process can be inserted into the kernel (S634). Otherwise, block the module insertion attempt.

In addition, the Linux operating system provides a network security function can be more preferably implemented. In the embodiment shown in Fig. 5, this function is performed by the network security processing means 15. The setting for the security function is set via the interface means 14-1 and 14-2. The network security processing means 15 provides a firewall function and a port scanning function as a preferred embodiment as a network security function.

The firewall function is a function of inspecting data packets transmitted and received from the host 10-1 and passing them only if the packet is allowed to pass.

This function blocks network service requests from unauthorized places and prevents hackers. That is, it can be said that the system determines whether the packet passes using the header information of the packet coming and going on the connection between the protected network and the Internet. In this case, the use of the header information of the packet means that the following information is extracted from the packet header to determine whether the packet passes.

Source address of the packet

Source port of the packet

Destination address of the packet

Destination port of the packet

Referring to FIG. 13, a preferred embodiment of the firewall function will be described in detail. When there are data packets to be transmitted and received (S711), the network security processing unit 15 first checks whether the corresponding data packet is a normal data packet ( S712). This check includes a checksum test and a sanity test.

If the result of the check in step S712 is not a normal data packet (S713), it is ignored (S717). If it is a normal data packet, it is determined whether a predetermined pass rule is satisfied (S714). When the pass rule is satisfied (S715), the data packet is passed through the next path (S716). Otherwise, log information about the pass is recorded (S718).

The passing rule in step S714 means processing rules according to the contents of the data packet header, and is set by the manager server 30 via the interface means 14-1 and 14-2. For example, if the default policy is set to block all packets, and you want to allow only telnet services, you can set the firewall access control rules to pass only packets with a destination port of 23. If you remove the CAP_NET_ADMIN capability from superuser privileges, you will not be able to modify this firewall access control rule even if the hacker hacks the superuser privileges.

In addition, network security can be improved by using the capability (capability). In other words, network security can be enhanced by removing the following capabilities or by assigning only those processes that are necessary.

CAP_NET_ADMIN: This is the capability to manage the firewall, modify the routing table, and set the promiscuous mode of the network interface card (NIC). Thus, removing this capability prevents hackers from changing firewall access control rules, arbitrarily modifying routing tables, and running sniffer programs.

CAP_NET_BIND_SERVER: This is a capability that enables port bindings below 1024 for TCP / UDP sockets. Removing this capability can prevent hackers from running services below port number 1024 for malicious purposes.

The main purpose of this firewall function is to control packets coming to the host equipped with the Linux operating system according to the present invention.

The port scanning function means a function of creating a list and notifying the log server 20 when a connection attempt to an unopened port made in a corresponding host for a predetermined time exceeds a predetermined number. In other words, if a port scanning tool, which is widely used as a means for hacking, is applied to a Unix system, it detects and notifies this fact.

Port scanning is usually done by connecting to a large number of ports in a short time. With this in mind, the Unix operating system detects in a short time based on the value of a connection attempt to an open port on a particular host. Just keeping the list will prevent the problem of poor performance. In addition, it is preferable to limit the value of the list maintained as a countermeasure against the Denial of Service (DoS) and to delete the list once every predetermined time (for example, 3 seconds) as a countermeasure.

Referring to FIG. 14, the port scanning function will be described in detail. First, the manager server 30 sets the inspection time and the access attempt frequency through the interface means 14-1 and 14-2 (S721). This information is recorded and referenced in a file that stores network security related information. The network security processing means 15 checks whether there is a connection attempt to a port to which access is not permitted (S722), and if there is such a connection attempt, if a predetermined number of access attempts are made for a prescribed time. In S723, a list is created and notified to the log server 20 (S724).

Now, the log server 20 will be described in more detail.

First, the log server is responsible for storing the logs from each host (10-1 to 10-3) in the database. Proper distribution is done so that data does not exceed the capacity of the disk, and the database is managed to facilitate data backup. At this time, it is preferable to use a DBMS.

In more detail with reference to FIG. 15, the log server initialization unit 22-2 reads a list of received IP addresses and a drop log pattern list from the configuration file 22-1, and then selects a predetermined port (for example, UDP). Open port 514) and wait for reception of log messages sent from each of the hosts 10-1 to 10-3.

When the log receiving means 22-3 receives the log message, it checks whether the IP address of the host that sent the log message is in the list of allowable IP addresses. If it is in the reception allowable IP address list, it is accepted and the log message is sent to the log filter means 22-4. However, if it is not in the list of allowed IP addresses, the message is dropped.

The log filter means 22-4 checks whether an item of the Drop log pattern list exists in the log message received from the log receiving means 22-3, and drops the message if an item of the Drop log pattern list exists. If it does not exist, the log message is sent to the log storage means 22-5.

The log storage means 22-5 stores the log message in the log table 22-6 of the DBMS. At this time, the log message is stored as many as the maximum number of rows specified in the configuration file, and when more logs are entered, the log message is stored again from the beginning. For example, a total of six log tables can be configured, and it is preferable to change the log table 22-6 every certain period (for example, one month). DBMS tables used in this process include log tables and system tables. The log table is for storing log messages, and the system table can be used for storing global variables related to log storage.

In addition, the log server 20 provides a search function that allows the administrator to search the log according to a desired condition. More preferably, a search function is provided by adding AND, OR and NOT conditions to the system or date of occurrence of the log.

The log server 20 provides a web-based graphical user interface (GUI) through the Web GUI means 21 with the manager server 30 to facilitate the administrator's log search. To this end, the log server 20 uses a CGI program for HTML generation and database search. In this case, the CGI program searches for a log based on a search condition input by an administrator. When a search result is generated as an HTML file, the log server 20 provides the contents to the administrator through a web server.

An embodiment of a GUI configuration for a log server will be described with reference to FIG. 16. The GUI menu 23-1 can be broadly divided into one for viewing the entire log and one for searching the log. When the administrator selects to search the entire log, the log full list window 23-2 appears to view the entire list. In this case, for ease of searching, a button for moving the previous list and the following list is provided.

In addition, if the administrator selects a log search by condition, the log search option window 23-3 appears to allow the user to enter a search option (eg, AND, OR, Not) and a search statement. When instructed to perform a search, a log record matching the condition is searched and provided.

As described above, the method of correctly using the present invention depends on how well the capability and access control list (ACL) are utilized. That is, since all application programs operated in the Unix system according to the present invention operate with the capability and the access control list (ACL) set, wrong setting may cause a fatal error in the operation of the application program. Incorrect access control lists (ACLs) for system files can cause fatal errors in the operating system itself.

If this error can occur and allows both capability and access control lists (ACLs), then this makes no sense to use a secure operating system. It is therefore advisable for managers to have the following concerns with constant attention:

Minimize the capacity across the kernel.

-Set access control rules for system configuration file and log file.

Seal the kernel to prevent the addition of kernel modules, and give the CAP_SYS_ MODULE capability only to those processes that need it.

Set Un-Killable and Hide Processes on critical processes.

-It finds the capability required to run the process to use and assigns only that process.

Set access control rules so that only this process can access files accessed by the process you want to use.

-Set up firewall function for unnecessary services.

-Enable instant e-mail notification of suspected intrusions.

-Check the log contents from time to time.

Using the present invention, an access control function can be enhanced and an operating system specialized for the purpose of the system can be configured. That is, it is possible to set up a security environment for each purpose, such as dedicated web server or dedicated file server.

In particular, by using the configuration settings of Unix systems for each system purpose and the know-how acquired during the formalization process, it is possible to operate the system more safely and conveniently.

Claims (27)

It is possible to set an access rule to a system resource for each process, and when the process tries to access a specific resource, it is determined whether the access rule is satisfied, and if the access rule is satisfied, the resource If the access rule is allowed, but the access rule is not satisfied, the Linux operating system (LINUX OS: Operating System) is configured to block access to the resource and notify the log server of the log information. One or more hosts; A log server for storing log information transmitted from each host in association with each host, and retrieving the stored log information according to a predetermined rule from an administrator server interworking with the host; And And an administrator server for setting the access rule in association with each host and retrieving the log information in association with the log server. The system of claim 1, wherein the Linux operating system mounted on the host comprises: Manage the access rules through a capability file that records the capabilities granted to the kernel itself, and an Access Control List (ACL) file that records the access rules granted to each process. Linux system, characterized in that configured. The method of claim 2 wherein the Linux operating system, The contents of the access control list file are loaded into a memory at the time of booting, but if the contents of the access control list file are changed after booting, they are reflected in the memory and used. The contents of the capability file are configured to read the contents of the capability file, but to read them from the capability relay file that performs a function of distinguishing when the contents are changed and the contents are changed. Linux system featured. The method of claim 3 wherein the Linux operating system, When the process tries to access a specific resource, it is determined whether the access rule is satisfied through the access control list information loaded in the memory or the information in the capability relay file, and when the access rule is satisfied, A kernel that allows access, but does not satisfy the access rule, blocks access to the resource and informs a log server of log information about the resource; Interface means with the manager server; And And access rule updating means for allowing the administrator server to change the access control list file or the capability file through the interface means. The method of claim 4, wherein the kernel, Linux system, characterized in that the newly created process is configured to assign a predetermined default capability once. The method of claim 4, wherein The function of the kernel is configured to be implemented at the source code level of the kernel. The method of claim 4, wherein Said interface means being configured to comprise at least one of a command line interface (CLI) and a web graphical user interface (Web GUI). The method of claim 2, wherein the access control list file, Each process name; An object to be accessed by each process; And Linux system, characterized in that configured to include information about the access type (Access Type) for the object. The method of claim 8, The object is a file / directory or capability, The access type is one of read / write prohibited, read only, append only, and writable for the file / directory, and INHERIT for the capability. Linux system, characterized in that it is configured to be one of and NO_INHERIT. The method of claim 4 wherein the Linux operating system, And receiving alarm information from the kernel that does not satisfy the access rule, and sending the log information to the administrator server through an e-mail. The method of claim 2 wherein the Linux operating system, If the capability of a particular process is a capability indicating un-killable, disregarding an attempt to abort the process; When the capability of a specific process is a capability indicating hiding, a function not indicating a corresponding process while performing a display function of a process list; And If the capability of a particular process is a capability that implies a module insertion restriction, the Linux system is configured to include one or more of the functions of ignoring when attempting to insert a module into the kernel. The method of claim 1 wherein the Linux operating system, And a network security processing means for inspecting the data packet transmitted and received from the host and performing the function of passing the packet only when the packet is allowed to pass. The method of claim 12, wherein the network security processing means, Receive a rule for passing the data packet through the command line interface (CLI) or Web graphical user interface (Web GUI) from the administrator server, the rule is configured to record and manage in a separate file Linux system. The method of claim 1 wherein the Linux operating system, In the case that the attempt to connect to the open port in the host for a predetermined time exceeds the prescribed number of times, Linux is configured to include the function of creating the list and transmitting it to the log server. system. The method of claim 1, The log server is a Linux system, characterized in that configured to interwork with the management server through a Web graphical user interface (Web GUI). The method of claim 15, wherein the log server, Linux system, characterized in that it comprises a function that allows you to search by using one or more of the search options of AND, NOT, OR in searching the log information that is stored. In how to run a Linux system, A first procedure for setting access rules for each process; A second procedure for examining whether there is a process trying to access a system resource; A third procedure for determining whether access to the resource is allowed to the process by referring to the access rule when there is a process to access the resource as a result of the investigation; A fourth procedure for allowing the process to access the resource if access is granted as a result of the determination in the third procedure; And And a fifth step of stopping the operation of the process and recording log information thereof when access is not granted as a result of the determination in the third step. The method of claim 17, The access rule set in the first procedure may include a capability file that records the capability granted to the kernel itself, and an access control list that records the access rules granted to each process. List) A method of operating a Linux system, characterized in that it is configured to set in a file. 19. The method of claim 18, wherein the access rule is configured to be set from another computer system (administrator server). 20. The method of claim 19, wherein the interface with the manager server is configured to be via a command line interface (CLI) or a web traffic user interface (Web GUI). The method of claim 18, wherein the third procedure, Determining whether the process of accessing system resources in the second procedure is a process of the kernel itself or an individual process; Determining that the access rule recorded in the capability relay file is satisfied in the case of a process of the kernel itself; And And in the case of the individual process, determining whether the access rule defined in the access control list information loaded in the memory is satisfied. The method of claim 18, wherein the access control list file, Each process name; An object to be accessed by each process; And Operating method of a Linux system, characterized in that configured to include access type (Access Type) information for the object. The method of claim 22, The object is a file / directory or capability, The access type is one of read / write prohibited, read only, append only, and writable for the file / directory, and INHERIT for the capability. Operating system, characterized in that it is configured to be one of and NO_INHERIT. The method of claim 17, wherein And an additional step of transmitting log information that does not satisfy the access rule to an administrator server through an e-mail. 18. The method of claim 17, wherein the operating method of the Unix system further comprises a network security procedure. Setting a passing rule of the data packet; Examining whether there is a data packet being transmitted or received; Determining whether to pass the data packet transmitted or received with reference to the set rule as a result of the investigation; And If it is determined that the pass is allowed, pass the corresponding data packet in the direction; otherwise, drop the data packet. 26. The method of claim 25, wherein a rule for passing the data packet is configured through an administrator server, wherein the interface with the administrator server is configured through a command line interface (CLI) or a web graphical user interface (Web GUI). Features of operating a Linux system. The method of claim 25, wherein the network security procedure, Examining whether there is a connection attempt to a port that is not open; Determining whether the connection attempt exceeds a predetermined number of times for a predetermined time when there is a connection attempt as a result of the investigation; And And as a result of the determination, if the number of times is exceeded, notifying the prescribed log server.