[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107918550A - A kind of method for USB device history service condition of auditing under linux system - Google Patents

A kind of method for USB device history service condition of auditing under linux system Download PDF

Info

Publication number
CN107918550A
CN107918550A CN201610878205.9A CN201610878205A CN107918550A CN 107918550 A CN107918550 A CN 107918550A CN 201610878205 A CN201610878205 A CN 201610878205A CN 107918550 A CN107918550 A CN 107918550A
Authority
CN
China
Prior art keywords
udev
usb
auditing
linux system
rules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610878205.9A
Other languages
Chinese (zh)
Other versions
CN107918550B (en
Inventor
曹健
何曌君
李文辉
申利飞
万淑珍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Standard Software Co Ltd
Original Assignee
China Standard Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Standard Software Co Ltd filed Critical China Standard Software Co Ltd
Priority to CN201610878205.9A priority Critical patent/CN107918550B/en
Publication of CN107918550A publication Critical patent/CN107918550A/en
Application granted granted Critical
Publication of CN107918550B publication Critical patent/CN107918550B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • G06F9/4451User profiles; Roaming

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a kind of method for USB device history service condition of auditing under linux system, include the following steps:S1:Udev rules are write, udev produces the device file of matching unit attribute by defining udev rules;S2:Udev loads write udev rules;S3:Udev receives kernel events, and matches corresponding udev rules;S4:Udev performs udev rules, matches USB events, judges that the USB events are insertion events or extract event according to event-action, and obtain the relevant information of equipment;S5:Field processing is carried out according to acquired facility information;S6:Acquired information is recorded into local daily record together with the time of origin of USB times.The method of USB device history service condition provided by the invention of auditing under linux system, the insertion/extraction event under the linux system all usb equipment of can auditing, including usb storage devices, usb printers and usb scanners etc..

Description

A kind of method for USB device history service condition of auditing under linux system
Technical field
The present invention relates to computer auditing technical field, and in particular to one kind audit USB device history under linux system The method of service condition.
Background technology
Nowadays, in Linux system, event is extracted in the insertion for USB device, and system itself is without audit function , this causes ordinary user can not learn that current system was accessed by which USB device, if user wants to check going through for USB History service condition, just has no way of doing it.
The content of the invention
To solve the deficiencies in the prior art, the user of linux system also can be easily understood the history of USB device makes With situation, the present invention provides a kind of method for USB device history service condition of auditing under linux system, including following step Suddenly:
S1:Udev rules are write, udev produces the device file of matching unit attribute by defining udev rules;
S2:Udev loads write udev rules;
S3:Udev receives kernel events, and matches corresponding udev rules;
S4:Udev performs udev rules, matches USB events, judges that the USB events are insertion events according to event-action Or the event of extraction, and obtain the relevant information of equipment;
S5:Field processing is carried out according to acquired facility information;
S6:Acquired information is recorded into local daily record together with the time of origin of USB times.
Wherein, in the step S1, the device attribute includes kernel device name, bus path, trade name, type Number, sequence number and disk size.
Wherein, in the step S1, caused device file is put into/etc/udev/rules.d/ catalogues under.
Wherein, in the step S2, loading udev rules of such as issuing orders can be passed through:udevadm control--reload Or restart udev services.
Wherein, in the step S4, the relevant information of acquired equipment include equipment product ID, Vendor ID, Equipment Serial Number, equipment vendors and equipment I nterface.
Wherein, the step S5 is further included:USB device type is judged according to Interface.
Wherein, when judging USB device type, storage kind equipment corresponds to 0x08, and hub corresponds to 0x09.
The method of USB device history service condition provided by the invention of auditing under linux system, can audit The insertion of all usb equipment/extraction event under linux system, including usb storage devices, usb printers and usb scanners Deng.
Brief description of the drawings
Fig. 1 is the operational flowchart of the method for the USB device history service condition of auditing under linux system of the present invention.
Embodiment
In order to have further understanding to technical scheme and beneficial effect, attached drawing is coordinated to describe in detail below Technical scheme and its beneficial effect of generation.
Fig. 1 is the operational flowchart of the method for the USB device history service condition of auditing under linux system of the present invention, As shown in the figure, the method for USB device history service condition provided by the invention of auditing under linux system, includes the following steps:
S1:Udev rules are write, udev produces the device file of matching unit attribute by defining udev rules;
S2:Udev loads write udev rules;
S3:Udev receives kernel events, and matches corresponding udev rules;
S4:Udev performs udev rules, matches USB events, judges that the USB events are insertion events according to event-action Or the event of extraction, and obtain the relevant information of equipment;
S5:Field processing is carried out according to acquired facility information;
S6:Acquired information is recorded into local daily record together with the time of origin of USB times.
Preferably, in the step S1, the device attribute includes kernel device name, bus path, trade name, type Number, sequence number and disk size.
Preferably, in the step S1, caused device file is put into/etc/udev/rules.d/ catalogues under.
Preferably, in the step S2, loading udev rules of such as issuing orders can be passed through:udevadm control-- Reload restarts udev services.
Preferably, in the step S4, the relevant information of acquired equipment includes equipment product ID, Vendor ID, equipment Serial Number, equipment vendors and equipment I nterface.
Preferably, the step S5 is further included:USB device type is judged according to Interface.
Preferably, when judging USB device type, storage kind equipment corresponds to 0x08, and hub corresponds to 0x09.
In the present invention, so-called Udev, refers to equipment manager more than a kind of 2.6 kernel of linux system.
In the present invention, so-called " udevadm ", refer to udev offers carries instrument;So-called " Interface ", is Refer to USB interface descriptor.
The method of USB device history service condition provided by the invention of auditing under linux system, in the specific implementation, Inventor provide following two specific embodiments:
Embodiment 1
In linux desktop operating systems, a u disk is inserted into, and is extracted, detailed information record is had no in system, this Embodiment is concretely comprised the following steps for the usb equipment of auditing:
(1) udev rules are write, its rule match key is judged using operator, when the bus of event is usb, and And environmental variance DEVTYPE is when being usb_device, then in RUN+=designated treatment usb facility informations shell script.Will Environmental variance { ID_VENDOR_ID } in udev information, { ID_MODEL_ID }, { ID_VENDOR }, { ID_SERIAL_ SHORT }, { ID_MODEL }, { ID_USB_INTERFACES }, { ID_VENDOR_FROM_DATABASE }, { ID_MODEL_ FROM_DATABASE } it is passed to as parameter.
Particular content is as follows:
ACTION==" add ", SUBSYSTEM==" usb ", ENV { DEVTYPE }==" usb_device ", RUN+ ="/usr/bin/usb_log add VID=%E { ID_VENDOR_ID } PID=%E { ID_MODEL_ID } ' %E { ID_ VENDOR } ' ' %E { ID_SERIAL_SHORT } ' ' %E { ID_MODEL } ' interface=%E { ID_USB_ INTERFACES } ' %E { ID_VENDOR_FROM_DATABASE } ' ' %E { ID_MODEL_FROM_DATABASE } ' " ACTION ==" remove ", SUBSYSTEM==" usb ", ENV { DEVTYPE }==" usb_device ", RUN+="/usr/bin/ Usb_log remove VID=%E { ID_VENDOR_ID } PID=%E { ID_MODEL_ID } ' %E { ID_VENDOR } ' ' % E { ID_SERIAL_SHORT } ' ' %E { ID_MODEL } ' interface=%E { ID_USB_INTERFACES } ' %E { ID_ VENDOR_FROM_DATABASE } ' ' %E { ID_MODEL_FROM_DATABASE } ' "
(2) script/usr/bin/usb_log is write, content for script is the incoming parameter of processing, judges device type, and Record information is to locally.
(3) restart system or udevadm control--reload orders are run under terminal and load the rule.
(4) USB flash disk is inserted into, checks in local daily record and includes time, thing on the daily record for being inserted into the USB flash disk information, content Part type, VID, PID, equipment vendors, equipment Serial Number, device name, device type.
(5) USB flash disk is extracted, checks in local daily record and the daily record of information is extracted on the USB flash disk, content includes same step (4).
Embodiment 2
In linux desktop operating systems, a usb printer is inserted into, and is extracted, detailed information note is had no in system Record, the present embodiment are concretely comprised the following steps for the usb equipment of auditing:
(1) udev rules are write, its rule match key is judged using operator, when the bus of event is usb, and And environmental variance DEVTYPE is when being usb_device, then in RUN+=designated treatment usb facility informations shell script.Will Environmental variance { ID_VENDOR_ID } in udev information, { ID_MODEL_ID }, { ID_VENDOR }, { ID_SERIAL_ SHORT }, { ID_MODEL }, { ID_USB_INTERFACES }, { ID_VENDOR_FROM_DATABASE }, { ID_MODEL_ FROM_DATABASE } it is passed to as parameter.
Particular content is as follows:
ACTION==" add ", SUBSYSTEM==" usb ", ENV { DEVTYPE }==" usb_device ", RUN+ ="/usr/bin/usb_log add VID=%E { ID_VENDOR_ID } PID=%E { ID_MODEL_ID } ' %E { ID_ VENDOR } ' ' %E { ID_SERIAL_SHORT } ' ' %E { ID_MODEL } ' interface=%E { ID_USB_ INTERFACES } ' %E { ID_VENDOR_FROM_DATABASE } ' ' %E { ID_MODEL_FROM_DATABASE } ' " ACTION ==" remove ", SUBSYSTEM==" usb ", ENV { DEVTYPE }==" usb_device ", RUN+="/usr/bin/ Usb_log remove VID=%E { ID_VENDOR_ID } PID=%E { ID_MODEL_ID } ' %E { ID_VENDOR } ' ' % E { ID_SERIAL_SHORT } ' ' %E { ID_MODEL } ' interface=%E { ID_USB_INTERFACES } ' %E { ID_ VENDOR_FROM_DATABASE } ' ' %E { ID_MODEL_FROM_DATABASE } ' "
(2) script/usr/bin/usb_log is write, content for script is the incoming parameter of processing, judges device type, and Record information is to locally.
(3) restart system or udevadm control--reload orders are run under terminal and load the rule.
(4) a usb printer is inserted into, is checked in local daily record on the daily record for being inserted into the Printer Information, content bag Containing time, event type, VID, PID, equipment vendors, equipment Serial Number, device name, device type.
(5) usb printers are extracted, checks in local daily record and the daily record of information is extracted on the printer, content synchronization is rapid (4)。
The beneficial effects of the present invention are:The equipment that the present invention passes through all USB that audits under Linux system is inserted Enter, extract event and its corresponding facility information, by Udev rule match usb corresponding events, obtain and distinguish USB's Event type, device type (such as storage device), and will be inserted into extract time, equipment PID, VID, equipment business men, The range of information such as device name, equipment Serial Number recorded in local daily record so that user can be by checking that daily record is learnt The USB device of current system accesses account of the history.And such a method hardly takes any resource of system, securely and reliably.
Although the present invention is illustrated using above-mentioned preferred embodiment, so it is not limited to the protection model of the present invention Enclose, any those skilled in the art are not being departed within the spirit and scope of the present invention, and various changes are carried out with respect to above-described embodiment It is dynamic still to belong to the scope of the invention protected with modification, therefore protection scope of the present invention is subject to what claims were defined.

Claims (7)

  1. A kind of 1. method for USB device history service condition of auditing under linux system, it is characterised in that include the following steps:
    S1:Udev rules are write, udev produces the device file of matching unit attribute by defining udev rules;
    S2:Udev loads write udev rules;
    S3:Udev receives kernel events, and matches corresponding udev rules;
    S4:Udev perform udev rule, match USB events, according to event-action judge the USB events be insertion event or Extraction event, and obtain the relevant information of equipment;
    S5:Field processing is carried out according to acquired facility information;
    S6:Acquired information is recorded into local daily record together with the time of origin of USB events.
  2. 2. the method for USB device history service condition of auditing as claimed in claim 1 under linux system, it is characterised in that: In the step S1, the device attribute includes kernel device name, bus path, trade name, model, sequence number and disk Size.
  3. 3. the method for USB device history service condition of auditing as claimed in claim 2 under linux system, it is characterised in that: In the step S1, caused device file is put into/etc/udev/rules.d/ catalogues under.
  4. 4. the method for USB device history service condition of auditing as claimed in claim 1 under linux system, it is characterised in that: In the step S2, loading udev rules of such as issuing orders can be passed through:Udevadm control--reload restart udev clothes Business.
  5. 5. the method for USB device history service condition of auditing as claimed in claim 1 under linux system, it is characterised in that: In the step S4, the relevant information of acquired equipment includes equipment product ID, Vendor ID, equipment Serial Number, sets Standby manufacturer and equipment I nterface.
  6. 6. the method for USB device history service condition of auditing as claimed in claim 5 under linux system, it is characterised in that: The step S5 is further included:USB device type is judged according to Interface.
  7. 7. the method for USB device history service condition of auditing as claimed in claim 6 under linux system, it is characterised in that: When judging USB device type, storage kind equipment corresponds to 0x08, and hub corresponds to 0x09.
CN201610878205.9A 2016-10-08 2016-10-08 Method for auditing historical use condition of USB (universal serial bus) equipment in Linux system Active CN107918550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610878205.9A CN107918550B (en) 2016-10-08 2016-10-08 Method for auditing historical use condition of USB (universal serial bus) equipment in Linux system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610878205.9A CN107918550B (en) 2016-10-08 2016-10-08 Method for auditing historical use condition of USB (universal serial bus) equipment in Linux system

Publications (2)

Publication Number Publication Date
CN107918550A true CN107918550A (en) 2018-04-17
CN107918550B CN107918550B (en) 2021-02-09

Family

ID=61892131

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610878205.9A Active CN107918550B (en) 2016-10-08 2016-10-08 Method for auditing historical use condition of USB (universal serial bus) equipment in Linux system

Country Status (1)

Country Link
CN (1) CN107918550B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109076127A (en) * 2018-08-10 2018-12-21 深圳前海达闼云端智能科技有限公司 Detection method, device, electronic equipment and the medium of electronic equipment
CN113740781A (en) * 2021-08-30 2021-12-03 广州文远知行科技有限公司 Interface looseness detection method and device, vehicle and storage medium
CN115515079A (en) * 2022-08-05 2022-12-23 福建新大陆通信科技股份有限公司 Emergency broadcasting equipment LTE module management method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100174833A1 (en) * 2009-01-05 2010-07-08 Roderick David Earle Filer Method and Apparatus for Identifying a Device Handle in a Computer System
CN202120266U (en) * 2011-07-13 2012-01-18 内江市效率源信息安全技术有限责任公司 Data operating record trace detection equipment
CN103777978A (en) * 2014-01-07 2014-05-07 汉柏科技有限公司 Automatic user-mode 3G-USB network interface card detecting method based on Linux kernel
CN105700980A (en) * 2016-04-27 2016-06-22 浪潮电子信息产业股份有限公司 Method for realizing automatic mounting of USB flash disk and testing speed of USB port
CN105718824A (en) * 2015-10-22 2016-06-29 哈尔滨安天科技股份有限公司 System and method for preventing malicious USB equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100174833A1 (en) * 2009-01-05 2010-07-08 Roderick David Earle Filer Method and Apparatus for Identifying a Device Handle in a Computer System
CN202120266U (en) * 2011-07-13 2012-01-18 内江市效率源信息安全技术有限责任公司 Data operating record trace detection equipment
CN103777978A (en) * 2014-01-07 2014-05-07 汉柏科技有限公司 Automatic user-mode 3G-USB network interface card detecting method based on Linux kernel
CN105718824A (en) * 2015-10-22 2016-06-29 哈尔滨安天科技股份有限公司 System and method for preventing malicious USB equipment
CN105700980A (en) * 2016-04-27 2016-06-22 浪潮电子信息产业股份有限公司 Method for realizing automatic mounting of USB flash disk and testing speed of USB port

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
POLYGUN2000: "《如何编写udev规则》", 《HTTP://BLOG.SINA.CN/DPOOL/BLOG/S/BLOG_704836F40100SB1H.HTML》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109076127A (en) * 2018-08-10 2018-12-21 深圳前海达闼云端智能科技有限公司 Detection method, device, electronic equipment and the medium of electronic equipment
WO2020029244A1 (en) * 2018-08-10 2020-02-13 深圳前海达闼云端智能科技有限公司 Method and apparatus for detecting electronic device, and electronic device and medium
CN113740781A (en) * 2021-08-30 2021-12-03 广州文远知行科技有限公司 Interface looseness detection method and device, vehicle and storage medium
CN113740781B (en) * 2021-08-30 2022-05-24 广州文远知行科技有限公司 Interface looseness detection method and device, vehicle and storage medium
CN115515079A (en) * 2022-08-05 2022-12-23 福建新大陆通信科技股份有限公司 Emergency broadcasting equipment LTE module management method
CN115515079B (en) * 2022-08-05 2023-06-27 福建新大陆通信科技股份有限公司 Emergency broadcasting equipment LTE module management method

Also Published As

Publication number Publication date
CN107918550B (en) 2021-02-09

Similar Documents

Publication Publication Date Title
CN103473346A (en) Android re-packed application detection method based on application programming interface
Faheem et al. Smartphone forensic analysis: A case study for obtaining root access of an android samsung s3 device and analyse the image without an expensive commercial tool
CN111191243B (en) Vulnerability detection method, vulnerability detection device and storage medium
US20200026877A1 (en) Detecting personally identificable information (pii) in telemetry data
CN105005528A (en) Log information extraction method and apparatus
CN104035842A (en) Method for deleting and recovering built-in application program
CN104537289A (en) Method and device for protecting intended target in terminal device
WO2014131306A1 (en) Method and system for detecting network link
CN105930726B (en) A kind of processing method and user terminal of malicious operation behavior
CN107918550A (en) A kind of method for USB device history service condition of auditing under linux system
CN109918678B (en) Method and device for identifying field meaning
CN111488603A (en) Method and device for identifying sensitive content of printed file
CN116755745A (en) Plug-in updating method, device and equipment of code editor and storage medium
CN111222181B (en) AI model supervision method, system, server and storage medium
CN111259382A (en) Malicious behavior identification method, device and system and storage medium
CN106789973B (en) Page security detection method and terminal equipment
WO2023081611A1 (en) Systems and methods for remediation of software configuration
US9646157B1 (en) Systems and methods for identifying repackaged files
CN114969840A (en) Data leakage prevention method and device
CN105354506B (en) The method and apparatus of hidden file
CN108415767A (en) Server thread control method, device, equipment and readable storage medium storing program for executing
CN114491528A (en) Malicious software detection method, device and equipment
CN110943982B (en) Document data encryption method and device, electronic equipment and storage medium
CN110262856B (en) Application program data acquisition method, device, terminal and storage medium
CN115495737A (en) Malicious program invalidation method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant