CN114780327A - Server monitoring method, asset management method and PCIE card - Google Patents
Server monitoring method, asset management method and PCIE card Download PDFInfo
- Publication number
- CN114780327A CN114780327A CN202111479501.9A CN202111479501A CN114780327A CN 114780327 A CN114780327 A CN 114780327A CN 202111479501 A CN202111479501 A CN 202111479501A CN 114780327 A CN114780327 A CN 114780327A
- Authority
- CN
- China
- Prior art keywords
- information
- server
- chip
- pcie
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 238000007726 management method Methods 0.000 title claims abstract description 38
- 238000012544 monitoring process Methods 0.000 title claims abstract description 24
- 238000012550 audit Methods 0.000 claims abstract description 87
- 238000004891 communication Methods 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 20
- 238000012552 review Methods 0.000 claims description 7
- 238000011156 evaluation Methods 0.000 claims description 4
- 230000036541 health Effects 0.000 claims description 3
- 238000009434 installation Methods 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 238000012797 qualification Methods 0.000 claims description 3
- 238000010200 validation analysis Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 12
- 238000012545 processing Methods 0.000 description 12
- 241000700605 Viruses Species 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3055—Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3031—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a motherboard or an expansion card
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
An embodiment of the present specification provides a server monitoring method, an asset management method, and a PCIE card, where the server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, and the method is executed by the blockchain chip, and the method includes: acquiring the running information of the server through a target interface; determining safety audit information of the server according to the operation information; and saving the safety audit information to the block chain network.
Description
Technical Field
One or more embodiments of the present specification relate to the field of computer monitoring and the field of computer asset management, and in particular, to a server monitoring method, an asset management method, and a PCIE card.
Background
In a traditional scheme of monitoring and asset management of a server, especially a server of a data center, the operating information of the server is captured by a baseboard management controller BMC and an agent built in a server OS, and then the operating information is sent to a management platform of the data center for security monitoring and asset management. However, the scheme has the problem that monitoring is carried out by relying on a data center management platform, and monitoring vulnerabilities can exist. Because it is difficult to send all the large amount of operation information to the management platform in time due to the pressure in network transmission, the regularly acquired monitoring information may be information tampered by an attacker, and then the attack behavior on the server cannot be discovered according to the information. In addition, the scheme has the problem that the server asset information is generally used for a single platform and is difficult to operate on multiple platforms.
Therefore, a new server monitoring and asset management method is needed.
Disclosure of Invention
The embodiments in this specification aim at providing a new server monitoring and asset management method, where a PCIE card configured with an independent third-party blockchain chip is installed in a server, server operation information is obtained through the blockchain chip, security audit is performed on the server operation information, and an audit result is sent to a blockchain network, so as to improve the detection capability for security problems occurring on the server; and sending information corresponding to the server asset state in the operation information to a block chain network for generating a certificate of the server asset, so that the transaction and circulation of the server asset among multiple parties and platforms are facilitated, and the defects in the prior art are overcome.
According to a first aspect, a server monitoring method is provided, where the server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, and the method is performed by the blockchain chip, and the method includes:
acquiring the running information of the server through a target interface;
determining the safety audit information of the server according to the operation information;
and storing the security audit information to a block chain network.
In one possible embodiment, the operating system OS of the server has a first agent built in;
the obtaining the operation information of the server through the target interface includes:
acquiring in-band information of a server from the first agent through a first interface;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining first review information of the in-band information according to the in-band information.
In one possible embodiment, the in-band information includes: one or more of hardware information, firmware/kernel version, server process information, port information, user account information, crontab files and system logs of the server;
the first review information includes: the auditing information of the server configuration, the auditing information of the port control, the auditing information of the network firewall operation, the auditing information of the operating system starting process, the auditing information of the multi-operating-system starting manager of the server, the auditing information of the operating system login, the auditing information of the application credibility measurement, the auditing information of the hard disk storage data input and output and the auditing information of the kernel vulnerability are one or more.
In a possible implementation manner, a baseboard management controller BMC is also arranged on the server,
the obtaining the operation information of the server through the target interface includes:
acquiring out-of-band information of the server from the BMC through a second interface;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining second audit information of the out-of-band information according to the out-of-band information.
In a possible embodiment, the second interface is an interface supporting the NCSI protocol.
In one possible implementation, the out-of-band information includes: one or more of out-of-band logs, out-of-band alarms, out-of-band sensor information;
the second review information includes: and auditing the health state of the server.
In a possible implementation manner, the obtaining the operation information of the server through the target interface includes:
acquiring intermediate information of the server after the server is started and before a server OS is started through a third interface; the third interface comprises a serial port/serial port redirection SOL;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining third auditing information according to the intermediate information.
In a possible implementation manner, the obtaining the operation information of the server through the target interface includes:
acquiring network communication information of the server through a fourth interface; the fourth interface comprises a standard interface of a network card arranged on the server;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining fourth auditing information related to network communication according to the network communication information.
In a possible implementation manner, the first PCIE card includes one of a PCIE network card/PCIE GPU card/PCIE HBA card.
In a possible implementation manner, a chip ID corresponding to the blockchain chip and a public and private key pair corresponding to the chip ID are stored in the blockchain chip; the saving the security audit information to a blockchain includes:
signing the security audit information by using a private key in the public and private key pair to obtain a chip signature;
and uploading the safety audit information and the chip signature to the block chain network.
In one possible embodiment, the method further comprises, before uploading the security audit information, the chip signature together to the blockchain network,
registering the blockchain chip on a blockchain network using the chip ID.
In a possible implementation, the public and private key pair corresponding to the chip ID is determined by negotiation with the blockchain network.
According to a second aspect, there is provided a server asset management method, where the server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, and the method is performed by the blockchain chip, and the method includes:
acquiring the running information of the server through a target interface;
and storing the operation information of the server to the blockchain network and generating a certificate of the asset state of the server.
In one possible embodiment, the operating system OS of the server has a first agent built in;
the obtaining the operation information of the server through the target interface includes:
and acquiring in-band information of the server from the first agent through a first interface.
In one possible embodiment, the in-band information includes: one or more of server usage time, installation records and usage records of applications on the server.
In a possible implementation manner, a baseboard management controller BMC is further arranged on the server,
the obtaining the operation information of the server through the target interface includes:
and acquiring the out-of-band information of the server from the BMC through the second interface.
In a possible embodiment, the second interface is an interface supporting the NCSI protocol.
In one possible implementation, the out-of-band information includes: b ios/bmc fw version, OS version, hard disk capacity/hard disk number, memory capacity/memory bank number, mainboard SN serial number/manufacturer/model, and power supply model/SN.
In one possible implementation, the first PCIE card is a PCIE network card,
the obtaining the operation information of the server through the target interface includes:
and acquiring the Mac address and/or the serial number of the PCIE network card through a medium independent interface MII or a simplified gigabit medium independent interface RGMII.
In a possible implementation manner, the first PCIE card includes one of a PCIE network card/PCIE GPU card/PCIE HBA card.
In a possible implementation manner, the public and private key pair corresponding to the chip ID is determined through negotiation with the blockchain network.
In one possible implementation, the credential of the server asset status is used for one or more of enrollment, authentication, evaluation, qualification, valuation, and hosting of the server asset.
According to a third aspect, a PCIE card is provided, which includes a blockchain chip, where the blockchain chip includes a storage module, an information obtaining module, and an uplink module,
the storage module is used for storing the identity of the block chain chip;
the information acquisition module is used for acquiring the running information of the server through a target interface when the PCIE card is installed in the server;
and the uplink module is used for storing server information to a block chain network based on the identity stored in the storage module, wherein the server information is obtained based on the operation information.
In a possible implementation manner, the PCIE card further includes an audit module, configured to determine security audit information of the server according to the operation information, and use the security audit information as the server information.
In a possible implementation manner, the identity is a chip ID set by the blockchain chip from a factory, and the storage module further stores a public and private key pair corresponding to the chip ID to the blockchain network.
In a possible implementation, the operating system OS of the server has a first agent built therein, and the information obtaining module is further configured to:
and acquiring in-band information of the server, which is sent by the first agent, through a PCIE bus.
In a possible implementation manner, the PCIE card is a PCIE network card, the PCIE network card further includes a main control chip, and the main control chip is connected to the block link chip through an exchange chip.
In a possible implementation manner, a baseboard management controller BMC is further disposed on the server, the PCIE network card is provided with a dedicated network port supporting an NCSI protocol, and the information obtaining module is further configured to:
and acquiring the out-of-band information of the server sent by the BMC through the special network port.
In a possible implementation, the information obtaining module is further configured to:
and redirecting SOL through a serial port to obtain intermediate information of the server after the server is started and before the server OS is started.
In a possible implementation, the information obtaining module is further configured to:
and acquiring the network communication information of the server through a standard network port on the PCIE network card.
By using the method in each aspect and one or more of the PCIE cards, the monitoring capability of the security problem of the server can be effectively improved, and the transaction and circulation capability of the server asset on multiple parties and multiple platforms can be enhanced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 illustrates a schematic diagram of a server monitoring and asset management method and a PCIE card utilized by the same according to an embodiment of the present description;
FIG. 2 shows a flow diagram of a server monitoring method according to an embodiment of the present description;
fig. 3 is a schematic diagram illustrating that intermediate operation information is acquired through a PCIE network card normal port according to an embodiment of the present specification;
fig. 4 is a schematic diagram illustrating that network communication information is acquired through a conventional network interface of a PCIE network card according to an embodiment of the present specification;
FIG. 5 is a schematic diagram illustrating obtaining network communication information via a port on another network card of a server according to an embodiment of the present disclosure;
fig. 6 is a schematic diagram illustrating uplink data transmission through a conventional network interface of a PCIE network card according to an embodiment of the present disclosure;
fig. 7 is a diagram illustrating uplink data transmission through a network port of another network card on a server according to an embodiment of the present disclosure;
FIG. 8 illustrates a flow diagram of a method of server asset management according to an embodiment of the present description;
fig. 9 shows a structure diagram of a PCIE card according to an embodiment of the present specification.
Detailed Description
The solution provided by the present specification will be described below with reference to the accompanying drawings.
As described above, the traditional method for data center server monitoring and asset management is to capture service operation information by means of BMC and OS built-in agent, and to manage the server by means of the management platform of the data center. Such a conventional management method has the following problems: 1) in the running process of the server, the monitoring of a management platform of the data center is relied on, and an independent and effective third party (independent of a server processor) does not locally exist in the server for auditing and supervising the software and hardware operation of the server. With this approach, there is a security hole for monitoring the server. For example, after a malicious login operation occurs on a server, an attacker often adopts a method of deleting records in an operation log, and the like, to remove traces of the malicious operation. However, since there are many kinds of server operation information, the data size is large, and it is difficult to transmit all the information to the management platform in real time, for example, a timing transmission mode is usually adopted. Therefore, the operation log sent to the management platform may be a log that is falsified by an attacker, so that the management platform cannot discover malicious login on the server. 2) On one hand, the server asset state information in the server operation information acquired by the data center is usually only kept on a single data center platform, and on the other hand, the information acquisition process also lacks an endorsement of an independent third party. Therefore, the server assets cannot be conveniently and credibly shared among external parties and multiple platforms, and are further used for transaction or circulation of the server assets among the parties and the multiple platforms.
In order to solve the foregoing technical problem, embodiments of the present specification provide a server monitoring method, an asset management method, and a corresponding PCIE card. The method has the core idea that a PCIE card carrying a block chain processing chip is installed in a server, the block chain processing chip on the PCIE card can acquire in-band and out-of-band operation information of the server through an agent program, a BMC and the like operated on a server OS, then safety audit is carried out on the operation information, and the obtained audit information is stored in a block chain network. Meanwhile, the running information of the server, information related to the state of the server asset, can also be sent to the blockchain network for generating the certificate of the server asset, and the certificate can be used for registering, confirming, evaluating and the like of the server asset. Specifically, the block chain processing chip may be an SE (Secure Element) chip, which is similar to an independent third-party microcomputer, has an independent Chip Operating System (COS) and a data storage region, and may perform, for example, data Secure storage, encryption/decryption operation, service calculation, and the like. The processor on the server cannot freely access the data in the blockchain processing chip and cannot know the calculation process of the data. Therefore, on one hand, the PCIE card including the blockchain processing chip is installed on the server, which facilitates the blockchain processing chip to obtain a large amount of operation information of the local server in time (without being transmitted to the remote data center through the network), and perform, for example, real-time or quasi-real-time security check on the operation information, so as to find the security problem occurring on the server in time. For example, when an attacker logs in a server maliciously and acquires an operation log of the server in time, the malicious login operation occurring on the server can be found through the operation log. Moreover, the blockchain processing chip itself is secure, and it is generally impossible for a server attacker to access the calculation process or stored data of the blockchain processing chip itself, and it is also impossible to influence the processing process of the blockchain processing chip or to tamper with the approval result thereof. In this manner, the method improves the ability to monitor security issues on the server. On the other hand, the blockchain processing chip itself is independent of the server processor, and sends the acquired server asset status information, such as a signature, to the blockchain network. While the blockchain network itself is distributed, where for example a node of multiple participants may be included. Thus, the server asset status information sent by the blockchain processing chip may be used to generate credentials of the server asset status in the blockchain network, which may be used for registration, authentication, qualification, valuation, etc. of the server asset, thereby facilitating, for example, trading and circulation of the server asset among multiple participants in the blockchain. Or further for the trading and circulation of server assets between different blockchain networks.
Fig. 1 illustrates a schematic diagram of a server monitoring method, an asset management method, and a PCIE card according to an embodiment of the present specification. The main idea of the method is explained below with reference to fig. 1. In the embodiment shown in fig. 1, the PCIE network card is specifically a PCIE network card, and the PCIE network card is provided with a block chain chip. A PCIE network card is typically installed to a target server by being inserted into a PCIE slot of the server. After the PCIE network card is installed in the target server, the blockchain chip may acquire, through the PCIE bus, server operation information sent by the agent program running on the server OS. Generally, in server management, obtaining the operation information of a server can be generally divided into two layers, namely in-band information and out-of-band information, where the in-band information is mainly the operation information of the server obtained by a server OS after the server is started. The out-of-band information refers to the running information of the server acquired by the BMC whether the server is started or not. The blockchain chip can be connected with a main control chip (MAC chip) of the PCIE network card through the exchange chip. Since the network card on the server usually has communication tasks on the services, such as connecting to an intranet or an extranet, the services need to occupy the conventional network interface on the server. Therefore, besides the conventional network interface, a dedicated network interface is arranged on the PCIE network card, the dedicated network interface is connected to the switch chip, and the BMC may send out-of-band information to the blockchain chip through the dedicated network interface and the NSCI protocol.
After obtaining the server operation information including the in-band information and the out-of-band information, the blockchain chip can perform security audit on the server according to the in-band information and the out-of-band information. Specifically, the block chain chip can perform different types of security audits according to different types of operation information. For example, in an example, the obtained server operation information includes a login record of the server, and it may be determined whether a malicious login currently occurs on the server according to the login record. In an embodiment, the blockchain chip may further redirect SOL (local area network Serial) through a Serial port, for example, and acquire intermediate information after the server is started and before the server OS is started by using a conventional network port on the PCIE network card. And using the intermediate information to perform security audit, such as virus detection, on the intermediate process after the server is started and before the server OS is started. In another embodiment, the blockchain chip may further obtain the network communication information of the server by using a conventional network interface on the PCIE network card, and perform flow security check according to the network communication information.
After performing various types of security audits, the blockchain chip can send various audit results to the blockchain network through the PCIE network card. In order to retain the original information and facilitate verification afterwards, in one embodiment, a portion of the running information directly corresponding to the audit result may also be sent to the blockchain network. As described above, the independent audit of the local block chain chip of the server ensures the timeliness of the security audit, improves the security of the audit process, and improves the security monitoring capability of the server as a whole. After the audit information is sent to the blockchain network, the audit information stored in the blockchain network is difficult to tamper afterwards due to the mechanism of the blockchain, and the reliability of the audit information, for example, in the process of post-inspection is enhanced.
The operation information of the server may include information that can be used to determine the asset status of the server, such as a CPU model, a memory model, a hard disk model/read/write times, and the like, and may be used to prove whether each hardware component of the server is a component of a newer model, or a use status of the component, and the like. Therefore, the part of the server operation information can also be sent to the blockchain network for generating a certificate of the server asset state, and the certificate can be used for registration, right confirmation, evaluation and the like of the server asset, so that the transaction and circulation of the server asset are facilitated.
Fig. 2 shows a flow chart of a server monitoring method according to an embodiment of the present description. The server is provided with a first PCIE card, the first PCIE card is provided with a blockchain chip, and the method is executed by the blockchain chip, as shown in fig. 2, the method includes:
and step 23, storing the security audit information to a block chain network.
First, in step 21, the operation information of the server is acquired through the target interface.
In this step, the block chain chip may obtain different types of operation information through different types of target interfaces.
As previously described, the acquired operational information may include in-band information. The in-band information may be acquired by an agent built in the OS. The agent built in the OS herein does not mean that the agent is necessarily a component of the OS itself, but means an agent that runs in the OS and depends on the OS to run. Thus, in one embodiment, the operating system OS of the server has a first agent built in; in-band information of a server may be obtained from the first agent via a first interface. Since a PCIE card is usually installed to a target server by being inserted into a PCIE slot of the server. PCIE (or PCI Express, Peripheral Component Interconnect Express) is a high-speed serial computer expansion bus standard. Thus, in one example, the first interface is a PCIE interface. In different embodiments, the first PCIE card may be a PCIE card of a different type, and in one embodiment, the first PCIE card may include one of a PCIE network card/PCIE GPU card/PCIE HBA card.
In different embodiments, different refinement types of in-band information may be obtained, which is not limited in this specification. In one embodiment, the in-band information may include: hardware information of the server, firmware/kernel version, server process information, port information, operating system startup information, user account information, a crontab file (used for setting instructions executed periodically), a network firewall log and a system log. In the subsequent steps, different types of security audits can be performed according to different types of in-band information.
As previously described, the operational information may also include out-of-band information, which may typically be obtained by the BMC. A BMC (Baseboard Management Controller) is a server Management system that does not depend on a processor, BIOS, or operating system of a server to operate. The object that the BMC can monitor and operate on is server hardware. In various examples, the BMC may monitor the server's voltage, fans, power, etc., and make adjustments based on this information. For example, the rotation speed of the fan is adjusted in real time to ensure that the server is in a healthy state. For example, the server is reset and the system is restarted. In one example, hardware information may also be recorded, and a hardware information log may be generated. Because the BMC does not rely on the processor, BIOS or operating system of the server, the BMC can independently monitor the server whether the server is started or not. Therefore, in one embodiment, a baseboard management controller BMC is further disposed on the server; the out-of-band information of the server may be obtained from the BMC through the second interface. Since the BMC may generally transmit information through an NSCI (Network Controller side band Interface) protocol, in an embodiment, the second Interface is an Interface supporting the NCSI protocol, for example, a Network port supporting the NCSI protocol.
In different embodiments, out-of-band information of different refinement types may be obtained, which is not limited in this specification. In one embodiment, the out-of-band information may include: one or more of out-of-band logs, out-of-band alarms, out-of-band sensor (e.g., temperature, humidity sensor) information.
In an actual production scenario, some computer viruses are used, operations such as virus code introduction are performed in a time period after a server is started (powered on) and before a server OS is started, and in order to detect the virus operations, operation information of the server after the server is started (powered on) and before the server OS is started needs to be acquired. Therefore, in one embodiment, the intermediate information of the server after the startup and before the server OS is started may also be acquired through the third interface. In one embodiment, the third interface may comprise a Serial port or Serial Over Lan (local area network Serial) redirect SOL. Generally, the intermediate information may be obtained through a server serial port. The SOL can essentially obtain serial communication information through a network port on a server. Therefore, in a specific embodiment, if the PCIE card where the blockchain chip is located is a PCIE network card, the intermediate information may be obtained through a conventional network interface by redirecting the serial port to the conventional network interface on the PCIE network card, as shown in fig. 3.
The acquired operation information may further include network communication information of the server. Therefore, in one embodiment, the network communication information of the server may be acquired through the fourth interface. In an embodiment, the fourth interface includes a standard interface (or a conventional interface, a conventional network interface) of a network card disposed on the server. In an example, if the PCIE card where the blockchain chip is located is a PCIE network card, the network communication information may be acquired through a conventional network interface on the PCIE network card, as shown in fig. 4. In another example, if the PCIE card where the blockchain chip is located is not a PCIE network card, the network communication information may be acquired through a network port of another network card on the server. In essence, the network communication information is acquired from other network cards through the server CPU, and then forwarded to the blockchain chip through the PCIE bus. Or, the network communication information may be acquired from another network card through an agent program built in the server OS, and then forwarded to the blockchain chip through the PCIE bus, as shown in fig. 5.
Then, in step 22, security audit information of the server is determined according to the operation information.
In this step, according to the different types of operation information obtained in step 21, different types of security kernel audits may be performed, and corresponding security audit information may be obtained.
In the above embodiment of acquiring the in-band information by the agent in the OS, the first audit information of the in-band information may be determined according to the in-band information. In different embodiments, according to the acquired in-band information of different refinement types, corresponding different types of security audit information can be determined. The present specification is not limited to a particular type of security audit. In one example, it may be determined whether the system/application is a correct version according to the obtained version information of the system/application on the server, and then determine whether the server is at a security risk, for example, a risk that an attacker attacks the system or application. In another example, the obtained server operation information includes information of system patches installed by the server, and it may be determined whether the server omits necessary patches that should be installed according to the information of the installed system patches, and then it is determined whether a system vulnerability corresponding to the necessary system patches exists in the server. In one embodiment, the first review information may include: the auditing information of the server configuration, the auditing information of the port control, the auditing information of the network firewall operation, the auditing information of the operating system starting process, the auditing information of a multi-operating-system starting manager (such as GRUB, GRand Unified Bootloader) of the server, the auditing information of the operating system login, the auditing information of the application credibility measurement, the auditing information of the hard disk storage data input and output, and the auditing information of the kernel vulnerability.
In the above embodiment of obtaining the out-of-band information by the BMC, the second audit information may be determined according to the out-of-band information. In one embodiment, the second audit information may include: and auditing the health state of the server. For example, whether the server is in a healthy running state is determined according to the acquired voltage, fan and power supply information of the server.
In the above embodiment of obtaining the intermediate information, the third audit information may be determined according to the intermediate information. In a specific embodiment, the third audit information may be, for example, virus audit information.
In the above embodiment of obtaining the network communication information, the fourth audit information related to the network communication may be determined according to the network communication information. In a specific embodiment, the fourth audit information is, for example, network abnormal traffic audit information. In a different example, the fourth audit information may also be audit information for different types of further refined abnormal traffic, which is not limited in this specification.
In addition, according to different types of security audits, the obtained corresponding security audit information may include, in an embodiment, an audit result of the type of security audit. For example, for the security audit for logging in by the server user, the corresponding security audit information may include, for example, an audit result that a malicious login exists or does not exist on the target server within a specific time period. In another embodiment, the security audit information may also include running information directly associated with the audit result. For example, in an example, if the determined audit result is that a malicious login exists on the target server within a specific time period, the security audit information may further include an original malicious login record, so as to facilitate comparison and verification with the audit result afterwards.
Finally, in step 13, the security audit information is saved to the blockchain network.
In the step, the audit information is stored in the block chain network, and a mechanism of the block chain can be utilized, so that the stored audit information is difficult to tamper afterwards, and the security of storing the audit information is enhanced. According to different embodiments, different specific types of block chains may be utilized, which is not limited in this specification. In one embodiment, a chip ID corresponding to the blockchain chip and a public-private key pair corresponding to the chip ID may be stored in a blockchain chip. The private key in the public and private key pair can be used for signing the security audit information to obtain a chip signature; and uploading the security audit information and the chip signature to the block chain network. In one example, the chip ID may be a unique ID of the chip set before the chip leaves the factory.
Typically, the blockchain chip may register on the blockchain network before saving the information to the blockchain network. Therefore, in one embodiment, the chip ID may be used to register the blockchain chip on the blockchain network before uploading the security audit information to the blockchain network.
The key of the blockchain chip for a specific blockchain network, or the key for saving the security audit information to the specific blockchain network, may be determined through negotiation with the blockchain network. Thus, in one embodiment, the public and private key pair corresponding to the chip ID may be determined by negotiation with the blockchain network.
Specifically, in an embodiment, if the PCIE card where the blockchain chip is located is a PCIE network card, the security audit information may be sent to the blockchain network through a conventional network port on the PCIE network card, as shown in fig. 6. In another embodiment, if the PCIE card where the blockchain chip is located is not a PCIE network card, the security audit information may be sent to the blockchain network through the network port of another network card on the server. Essentially, the uplink information is sent to the server CPU through the PCIE bus, and then the server CPU uploads the blockchain chip through another network card. Alternatively, the uplink information may be sent to an agent built into the server OS that sends the uplink information to the blockchain network through another network card, as shown in fig. 7.
FIG. 8 illustrates a flow diagram of a method for server asset management according to an embodiment of the present description. The server is provided with a first PCIE card, the first PCIE card is provided with a block chain chip, and the method is executed by the block chain chip. As shown in fig. 8, the method includes:
First, in step 81, the operation information of the server is acquired through the target interface.
In this step, the blockchain chip may obtain different types of operation information through different types of target interfaces. The operation information may be operation information corresponding to the asset state of the server, for example, configuration information and state information of software and hardware accessories of the server, specifically, such as a memory model, a processor model, hard disk read-write time, a system version, and the like. In one example, the model/version of the server hardware and software components, for example, can be determined to be new or old, and the status of the server hardware and software components can be determined to be good or bad, and the status of the server assets, for example, within a certain period of time can be determined according to the information.
The acquired operational information may include in-band information. The process and manner of obtaining the in-band information are similar to the process and manner of obtaining the in-band information in step 21, and refer to the description of step 21, which is not described herein again. In different embodiments, different refinement types of in-band information may be obtained. In one embodiment, the in-band information may include: one or more of server usage time, installation records and usage records of applications on the server.
The obtained operational information may also include out-of-band information. The process and manner of obtaining the out-of-band information are similar to the process and manner of obtaining the out-of-band information in step 21, and reference may be made to the description of step 21, which is not described herein again. In different embodiments, different types of out-of-band information may be obtained. In one embodiment, the out-of-band information may include: the version of bios/bmc fw, the version of OS, the capacity of hard disks/the number of hard disks, the capacity of memory/the number of memory banks, the serial number/manufacturer/model of mainboard SN, and the model/SN of power supply.
The acquired operation information may further include a Mac address of the server. In one embodiment, the first PCIE card is a PCIE network card, and the blockchain chip may be connected to the main control chip. Furthermore, the Mac address (Mac address of the server) and/or the serial number of the PCIE network card may be obtained through a Media Independent Interface mii (Media Independent Interface) or an RGMII (Reduced Gigabit Media Independent Interface) between the block chain chip and the main control chip.
Then, in step 82, the operational information of the server is saved to the blockchain network.
In this step, the operating information is saved to the blockchain network, which is mainly used to generate credentials of the server asset status. In one embodiment, credentials of server asset status may be used for one or more of enrollment, authentication, evaluation, authentication, valuation, hosting of the server asset. The distributed and high data reliability features of the blockchain network facilitate trading and circulation of server assets among, for example, multiple participants in the blockchain network.
According to various embodiments, different types of block chains may be utilized, which are not limited in this description. In one embodiment, a chip ID corresponding to the blockchain chip and a public-private key pair corresponding to the chip ID may be stored in a blockchain chip. Signing the security audit information by using a private key in the public and private key pair to obtain a chip signature; and uploading the security audit information and the chip signature to the block chain network. In one example, the chip ID may be a unique ID of the chip set before the chip leaves the factory.
The process and manner of uploading the operation information to the blockchain network are similar to the process and manner of uploading the audit information to the blockchain network in step 23, and reference may be made to the description of step 23, which is not described herein again.
In another embodiment of this specification, a PCIE card is also provided. Fig. 9 shows a structure diagram of a PCIE card according to an embodiment of the present specification. As shown in fig. 9, the PCIE card 9000 includes a blockchain chip 910, which includes a memory module 91, an information obtaining module 92, and an uplink module 93, wherein,
the storage module 91 is configured to store the identity of the blockchain chip;
the information obtaining module 92 is configured to, when the PCIE card is installed in a server, obtain operation information of the server through a target interface;
the uplink module 93 is configured to store server information to a blockchain network based on the identity stored in the storage module, where the server information is obtained based on the operation information.
In an embodiment, the PCIE card 900 further includes an auditing module 94, configured to determine security auditing information of the server according to the operation information, and use the security auditing information as the server information.
In one embodiment, the identity may be a chip ID factory-set for the blockchain chip, and the storage module may further store the chip ID corresponding to a public and private key pair of the blockchain network.
In one embodiment, the operating system OS of the server may have a first agent built therein, and the information obtaining module may be further configured to:
and acquiring the in-band information of the server sent by the first agent through a PCIE bus.
In one embodiment, the PCIE card may be a PCIE network card, the PCIE network card further includes a main control chip, and the main control chip is connected to the block link chip through the switch chip.
In one embodiment, the server is further provided with a baseboard management controller BMC, the PCIE network card is provided with a dedicated network port supporting an NCSI protocol, and the information acquisition module is further configured to:
and acquiring the out-of-band information of the server sent by the BMC through the special network port.
In one embodiment, the information obtaining module may be further configured to:
and redirecting SOL through a serial port to obtain intermediate information of the server after the server is started and before the server OS is started.
In one embodiment, the information obtaining module may be further configured to:
and acquiring the network communication information of the server through a standard network port on the PCIE network card.
It is to be understood that the terms "first," "second," and the like, herein are used for descriptive purposes only and not for purposes of limitation, to distinguish between similar concepts.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
Claims (30)
1. A server monitoring method is provided with a first PCIE card, the first PCIE card is provided with a block chain chip, the method is executed by the block chain chip, and the method comprises the following steps:
acquiring the running information of the server through a target interface;
determining safety audit information of the server according to the operation information;
and storing the safety audit information to a block chain network.
2. The method of claim 1, wherein the operating system OS of the server has a first agent built in;
the obtaining the operation information of the server through the target interface includes:
acquiring in-band information of a server from the first agent through a first interface;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining first review information of the in-band information according to the in-band information.
3. The method of claim 2, wherein the in-band information comprises: one or more of hardware information, firmware/kernel version, server process information, port information, operating system starting information, user account information, crontab files, network firewall logs and system logs of the server;
the first review information includes: the auditing information of the server configuration, the auditing information of the port control, the auditing information of the network firewall operation, the auditing information of the operating system starting process, the auditing information of the multi-operating-system starting manager of the server, the auditing information of the operating system login, the auditing information of the application credibility measurement, the auditing information of the hard disk storage data input and output, and the auditing information of the kernel vulnerability.
4. The method of claim 1, wherein a Baseboard Management Controller (BMC) is further disposed on the server,
the obtaining the operation information of the server through the target interface includes:
acquiring the out-of-band information of the server from the BMC through a second interface;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining second audit information of the out-of-band information according to the out-of-band information.
5. The method of claim 4, wherein the second interface is an interface supporting NCSI protocol.
6. The method of claim 4, wherein the out-of-band information comprises: one or more of out-of-band logs, out-of-band alarms, out-of-band sensor information;
the second review information includes: and auditing the health state of the server.
7. The method of claim 1, wherein,
through the target interface, obtaining the operation information of the server, including:
acquiring intermediate information of the server after the server is started and before a server OS is started through a third interface; the third interface comprises a serial port/serial port redirection SOL;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining third auditing information according to the intermediate information.
8. The method of claim 1, wherein,
through the target interface, obtaining the operation information of the server, including:
acquiring network communication information of the server through a fourth interface; the fourth interface comprises a standard interface of a network card arranged on the server;
according to the operation information, determining the safety audit information of the server, which comprises the following steps:
and determining fourth auditing information related to network communication according to the network communication information.
9. The method of claim 1, wherein the first PCIE card includes one of a PCIE network card/a PCIE GPU card/a PCIE HBA card.
10. The method of claim 1, wherein a chip ID corresponding to the blockchain chip and a public-private key pair corresponding to the chip ID are stored in the blockchain chip; the step of saving the security audit information to a block chain comprises:
signing the security audit information by using a private key in the public and private key pair to obtain a chip signature;
and uploading the safety audit information and the chip signature to the block chain network.
11. The method of claim 10, further comprising, prior to uploading the security audit information, the chip signature together to the blockchain network,
registering the blockchain chip on the blockchain network using the chip ID.
12. The method of claim 10, wherein the public and private key pair corresponding to the chip ID is determined by negotiation with the blockchain network.
13. A server asset management method, the server being provided with a first PCIE card provided with a blockchain chip, the method being performed by the blockchain chip, the method comprising:
acquiring the running information of the server through a target interface;
and storing the operation information of the server to the blockchain network and generating a certificate of the asset state of the server.
14. The method of claim 13, wherein the operating system OS of the server has a first agent built in;
the obtaining the operation information of the server through the target interface includes:
and acquiring in-band information of a server from the first agent through a first interface.
15. The method of claim 14, wherein the in-band information comprises: one or more of server usage time, installation records and usage records of applications on the server.
16. The method of claim 13, wherein a Baseboard Management Controller (BMC) is further disposed on the server,
the obtaining the operation information of the server through the target interface includes:
and acquiring the out-of-band information of the server from the BMC through the second interface.
17. The method of claim 16, wherein the second interface is an interface supporting NCSI protocol.
18. The method of claim 16, wherein the out-of-band information comprises: one or more of bios/bmc fw version, OS version, hard disk capacity/hard disk number, memory capacity/memory bank number, motherboard SN serial number/manufacturer/model, and power supply model/SN number.
19. The method of claim 13, wherein the first PCIE card is a PCIE network card,
the obtaining the operation information of the server through the target interface includes:
and acquiring the Mac address and/or the serial number of the PCIE network card through a medium independent interface MII or a simplified gigabit medium independent interface RGMII.
20. The method of claim 13, wherein the first PCIE card comprises one of a PCIE network card/PCIE GPU card/PCIE HBA card.
21. The method of claim 21, wherein the public-private key pair corresponding to the chip ID is determined by negotiation with the blockchain network.
22. The method of claim 13, wherein the credentials of the server asset status are used for one or more of enrollment, validation, evaluation, qualification, valuation, and hosting of the server asset.
23. A PCIE card comprises a block chain chip, wherein the block chain chip comprises a storage module, an information acquisition module and an uplink module,
the storage module is used for storing the identity of the block chain chip;
the information acquisition module is used for acquiring the running information of the server through a target interface when the PCIE card is installed in the server;
and the uplink module is used for storing server information to a block chain network based on the identity identifier stored by the storage module, wherein the server information is obtained based on the operation information.
24. The PCIE card of claim 23, further comprising an auditing module, configured to determine security auditing information of the server according to the operating information, and use the security auditing information as the server information.
25. The PCIE card of claim 23, wherein the identity is a chip ID of the blockchain chip factory setting, and the storage module further stores a public-private key pair whose chip ID corresponds to the blockchain network.
26. The PCIE card of claim 23, wherein a first agent is embedded in the operating system OS of the server, the information obtaining module is further configured to:
and acquiring the in-band information of the server sent by the first agent through a PCIE bus.
27. The PCIE card of claim 23, wherein the PCIE card is a PCIE network card, the PCIE network card further comprises a main control chip, and the main control chip is connected to the block link chip through an exchange chip.
28. The PCIE card of claim 27, wherein a baseboard management controller BMC is further disposed on the server, the PCIE network card is provided with a dedicated network port supporting an NCSI protocol, and the information acquisition module is further configured to:
and acquiring the out-of-band information of the server sent by the BMC through the special network port.
29. The PCIE card of claim 27, wherein the information obtaining module is further configured to:
and redirecting SOL through a serial port to obtain intermediate information of the server after the server is started and before the server OS is started.
30. The PCIE card of claim 27, wherein the information obtaining module is further configured to:
and acquiring the network communication information of the server through a standard network port on the PCIE network card.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111479501.9A CN114780327A (en) | 2021-12-06 | 2021-12-06 | Server monitoring method, asset management method and PCIE card |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111479501.9A CN114780327A (en) | 2021-12-06 | 2021-12-06 | Server monitoring method, asset management method and PCIE card |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114780327A true CN114780327A (en) | 2022-07-22 |
Family
ID=82423434
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111479501.9A Pending CN114780327A (en) | 2021-12-06 | 2021-12-06 | Server monitoring method, asset management method and PCIE card |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114780327A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115865522A (en) * | 2023-02-10 | 2023-03-28 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101540694A (en) * | 2008-03-17 | 2009-09-23 | 联想(北京)有限公司 | Method for monitoring server and server adopting same |
CN104363117A (en) * | 2014-11-04 | 2015-02-18 | 浪潮电子信息产业股份有限公司 | Method for realizing serial port redirection based on IPMI |
CN110084069A (en) * | 2019-04-17 | 2019-08-02 | 江苏全链通信息科技有限公司 | Server log monitoring method and system based on block chain |
CN110198347A (en) * | 2019-05-21 | 2019-09-03 | 深圳前海微众银行股份有限公司 | A kind of method for early warning and sub-control server based on block chain |
CN111738859A (en) * | 2020-07-08 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Block chain all-in-one machine and block chain network |
CN112751729A (en) * | 2020-12-30 | 2021-05-04 | 平安证券股份有限公司 | Log monitoring method, device, medium and electronic equipment |
-
2021
- 2021-12-06 CN CN202111479501.9A patent/CN114780327A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101540694A (en) * | 2008-03-17 | 2009-09-23 | 联想(北京)有限公司 | Method for monitoring server and server adopting same |
CN104363117A (en) * | 2014-11-04 | 2015-02-18 | 浪潮电子信息产业股份有限公司 | Method for realizing serial port redirection based on IPMI |
CN110084069A (en) * | 2019-04-17 | 2019-08-02 | 江苏全链通信息科技有限公司 | Server log monitoring method and system based on block chain |
CN110198347A (en) * | 2019-05-21 | 2019-09-03 | 深圳前海微众银行股份有限公司 | A kind of method for early warning and sub-control server based on block chain |
CN111738859A (en) * | 2020-07-08 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Block chain all-in-one machine and block chain network |
CN112751729A (en) * | 2020-12-30 | 2021-05-04 | 平安证券股份有限公司 | Log monitoring method, device, medium and electronic equipment |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115865522A (en) * | 2023-02-10 | 2023-03-28 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
CN115865522B (en) * | 2023-02-10 | 2023-06-02 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5551130B2 (en) | Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem | |
US11861372B2 (en) | Integrity manifest certificate | |
US7900058B2 (en) | Methods and arrangements for remote communications with a trusted platform module | |
CN111868689A (en) | Run-time self-correction of blockchain ledger | |
TWI524204B (en) | A method, apparatus, and system for manageability and secure routing and endpoint access | |
CN103747036B (en) | Trusted security enhancement method in desktop virtualization environment | |
CN111490981B (en) | Access management method and device, bastion machine and readable storage medium | |
US20020120575A1 (en) | Method of and apparatus for ascertaining the status of a data processing environment | |
US20100325719A1 (en) | System and Method for Redundancy in a Communication Network | |
KR20080014878A (en) | Protected clock management based upon a non-trusted persistent time source | |
WO2005071558A1 (en) | Remote access system, gateway, client device, program, and storage medium | |
US20240104213A1 (en) | Securing node groups | |
US11165766B2 (en) | Implementing authentication protocol for merging multiple server nodes with trusted platform modules utilizing provisioned node certificates to support concurrent node add and remove | |
CN111125707A (en) | BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module | |
GB2377137A (en) | Networked storage device provided with a trusted device for indicating the integrity and/or identity of the storage device | |
CN114780327A (en) | Server monitoring method, asset management method and PCIE card | |
CN115883170A (en) | Network flow data monitoring and analyzing method and device, electronic equipment and storage medium | |
CN115001766A (en) | Efficient multi-node batch remote certification method | |
US11683172B2 (en) | Distributed secure communication system | |
US11290471B2 (en) | Cross-attestation of electronic devices | |
US20240080330A1 (en) | Security monitoring apparatus, security monitoring method, and computer readable medium | |
CN101122988B (en) | Safe treatment method of network tax-control system | |
CN114189515B (en) | SGX-based server cluster log acquisition method and device | |
CN112311768B (en) | Policy center, control system, method, medium, and device for non-http protocol application | |
CN108429727B (en) | Method for secure exchange of discovery link information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |