CN111404889B - Audit method and device and client - Google Patents
Audit method and device and client Download PDFInfo
- Publication number
- CN111404889B CN111404889B CN202010147638.3A CN202010147638A CN111404889B CN 111404889 B CN111404889 B CN 111404889B CN 202010147638 A CN202010147638 A CN 202010147638A CN 111404889 B CN111404889 B CN 111404889B
- Authority
- CN
- China
- Prior art keywords
- command
- data
- server
- operation command
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000012550 audit Methods 0.000 title description 14
- 230000002452 interceptive effect Effects 0.000 claims abstract description 92
- 230000003993 interaction Effects 0.000 claims abstract description 57
- 230000000903 blocking effect Effects 0.000 claims abstract description 20
- 230000014509 gene expression Effects 0.000 claims description 36
- 238000012544 monitoring process Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 description 8
- PCTMTFRHKVHKIS-BMFZQQSSSA-N (1s,3r,4e,6e,8e,10e,12e,14e,16e,18s,19r,20r,21s,25r,27r,30r,31r,33s,35r,37s,38r)-3-[(2r,3s,4s,5s,6r)-4-amino-3,5-dihydroxy-6-methyloxan-2-yl]oxy-19,25,27,30,31,33,35,37-octahydroxy-18,20,21-trimethyl-23-oxo-22,39-dioxabicyclo[33.3.1]nonatriaconta-4,6,8,10 Chemical compound C1C=C2C[C@@H](OS(O)(=O)=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC[C@H]([C@H](C)CCCC(C)C)[C@@]1(C)CC2.O[C@H]1[C@@H](N)[C@H](O)[C@@H](C)O[C@H]1O[C@H]1/C=C/C=C/C=C/C=C/C=C/C=C/C=C/[C@H](C)[C@@H](O)[C@@H](C)[C@H](C)OC(=O)C[C@H](O)C[C@H](O)CC[C@@H](O)[C@H](O)C[C@H](O)C[C@](O)(C[C@H](O)[C@H]2C(O)=O)O[C@H]2C1 PCTMTFRHKVHKIS-BMFZQQSSSA-N 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 230000000295 complement effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 235000019580 granularity Nutrition 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention relates to the technical field of computers and discloses an auditing method, an auditing device and a client. The auditing method comprises the steps of receiving interactive data input by a user, and judging whether the interactive data is a command ending symbol or not; if the interactive data is not the command ending symbol, transmitting the interactive data to a server; if the interaction data is a command ending symbol, obtaining an operation command according to the received interaction data; judging whether the operation command is matched with a preset dangerous command condition or not; if the operation command is matched with the dangerous command condition, an interrupt command for blocking the execution of the operation command is sent to the server so as to block the execution of the operation command by the server. According to the invention, the operation command input by the user can be audited in real time, blocking is completed before the server executes the operation command with risk, accidents can be prevented in advance, and the safety of data on the server is ensured.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to an auditing method, an auditing device and a client.
Background
The computer network security audit refers to the process of checking, examining and checking the environment and activities of operation events by using information such as records, system activities and user activities according to a certain security policy, thereby discovering system vulnerabilities, intrusion behaviors or improving system performance. In the prior art, aiming at large internet enterprises, data stored on a server or an operating system is more and more important, and human computer misoperation is one of main reasons for production accidents, and the existing audit backtracking mode of the production accidents is generally post audit, so that a source of problems is found.
The inventor finds that at least the following problems exist in the prior art: the existing audit mode can not prevent accidents in time, and equipment is damaged or lost in a catastrophic manner when a fault source is found, so that irrecoverable loss is caused.
Disclosure of Invention
The embodiment of the invention aims to provide an auditing method, an auditing device and a client, which can audit an operation command input by a user in real time, complete blocking before a server executes the operation command with risk, prevent accidents in advance and ensure the safety of data on the server.
In order to solve the technical problems, the embodiment of the invention provides an auditing method which is applied to a client, and comprises the following steps: receiving interaction data input by a user, and judging whether the interaction data is a command ending symbol or not; if the interactive data is not the command ending symbol, transmitting the interactive data to a server; if the interaction data is a command ending symbol, obtaining an operation command according to the received interaction data; judging whether the operation command is matched with a preset dangerous command condition or not; if the operation command is matched with the dangerous command condition, an interrupt command for blocking the execution of the operation command is sent to the server so as to block the execution of the operation command by the server.
The embodiment of the invention also provides an auditing device, which comprises: the command acquisition module is used for receiving the interactive data input by the user and sending the interactive data to the server when the interactive data is not a command ending symbol; the command acquisition module is also used for acquiring an operation command according to the received interaction data when the interaction data is a command ending symbol; the auditing module is used for judging whether the operation command is matched with a preset dangerous command condition; and the sending module is used for sending an interrupt command for blocking the execution of the operation command to the server when the operation command is matched with the dangerous command condition so as to block the execution of the operation command by the server.
The embodiment of the invention also provides a client, which comprises: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the auditing method described above.
Compared with the prior art, the embodiment of the invention is characterized in that the client is modified, when the client receives the interactive data input by the user, the client firstly judges whether the interactive data is an ending command symbol, and if the interactive data is not the command ending symbol, the command data is sent to the server; if the interactive data is a command ending symbol, an operation command is obtained according to the received interactive data, whether the operation command is matched with a preset dangerous command condition or not is judged, namely whether the operation command is at risk or not is audited, when the operation command is judged to be matched with the preset dangerous command condition, the risk of auditing the operation command is indicated, the operation command cannot be executed by the server, and at the moment, an interrupt command for blocking the execution of the operation command is sent to the server, so that the execution of the operation command by the server is blocked. The method can audit the operation command input by the user in real time, and complete blocking before the server executes the operation command with risk, so that accidents can be prevented in advance, and the safety of data on the server is ensured. Meanwhile, the auditing process is not felt by the user, the interactive data input by the user cannot be modified, and the interactive operation between the client and the server is not affected.
In addition, the dangerous command condition comprises at least one regular expression; judging whether the operation command is matched with a preset dangerous command condition or not comprises the following steps: judging whether the operation command is matched with any regular expression; if the operation command is matched with any regular expression, judging that the operation command is matched with the dangerous command condition. The present embodiment provides an embodiment for determining whether the operation command matches a preset dangerous command condition.
In addition, the dangerous command condition also comprises target objects which are in one-to-one correspondence with the regular expressions; after determining that the operation command matches any regular expression, further comprising: judging whether the client is matched with a target object corresponding to any regular expression; and if the client is matched with the target object corresponding to any regular expression, judging that the operation command is matched with the dangerous command condition. In the embodiment, real-time audit of target objects with different granularities is realized.
In addition, after receiving the interactive data input by the user, the method further comprises the following steps: judging whether the received interaction data is command data or not; if the interactive data is command data, the method proceeds to a step of judging whether the interactive data is a command ending symbol. In this embodiment, a large amount of interactive process data belonging to non-command data may be excluded, and only the operation command composed of the interactive data belonging to the command data may be determined.
In addition, before the interactive data is sent to the server, the method further comprises: judging whether the command data is a command character or not; if the command data is a command character, setting a state flag bit corresponding to the command data; after transmitting the interaction data to the server, further comprising: receiving return data corresponding to command data returned by the server; obtaining an operation command according to the received interaction data, including: and obtaining the operation command according to the interaction data, the state flag bit corresponding to each command data and the return data corresponding to each command data. In this embodiment, the interactive data can be complemented by combining the return data of the server to obtain the operation command.
In addition, before the interactive data is sent to the server, the method further comprises: recording cursor information corresponding to the interactive data; obtaining an operation command according to the received interaction data, including: and obtaining an operation command according to the received interaction data and the cursor information corresponding to each interaction data. In this embodiment, the cursor information of the interactive data is recorded, and the cursor information can simulate the position of the cursor, so that when the operation command is acquired, the position of the interactive data can be combined, so that when the user moves the cursor input, the position of each interactive data can be accurately known, and the accurate operation command can be acquired.
In addition, after determining that the operation command matches the dangerous command condition, further comprising: judging whether the client is in a monitoring mode or not; if the client is in the monitoring mode, sending a command ending symbol to the server; if the client is in the non-monitoring mode, the method enters a step of sending an interrupt command for blocking the execution of the operation command to the server. In this embodiment, the monitoring mode is preset in the client, so that the dangerous command condition is adjusted manually through the judgment result of the operation command in the monitoring mode, and error blocking is avoided to a certain extent.
In addition, the method further comprises: forming a command log corresponding to the operation command according to a preset format; and the command log is stored locally. In the embodiment, the operation command received by the client is recorded in real time, so that the operation command received by the client can be conveniently backtracked and audited.
In addition, before the command log is stored locally, the method further comprises: judging whether a key file exists in the client; if the key file exists in the client, encrypting the command log according to the key file; storing the command log locally, including: and locally storing the encrypted command log. In this embodiment, the command log can be stored according to the key file in the client, so that the security of the content of the command log is improved.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures of the drawings are not to be taken in a limiting sense, unless otherwise indicated.
FIG. 1 is a detailed flow chart of an auditing method according to a first embodiment of the present invention;
FIG. 2 is a detailed flow chart of an auditing method according to a second embodiment of the present invention;
FIG. 3 is a detailed flow chart of an auditing method according to a third embodiment of the present invention;
FIG. 4 is a detailed flow chart of an auditing method according to a fourth embodiment of the present invention;
FIG. 5 is a detailed flow chart of an auditing method according to a fifth embodiment of the present invention;
FIG. 6 is a detailed flow chart of an auditing method according to a sixth embodiment of the present invention;
fig. 7 is a block schematic diagram of an auditing apparatus according to a seventh embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the following detailed description of the embodiments of the present invention will be given with reference to the accompanying drawings. However, those of ordinary skill in the art will understand that in various embodiments of the present invention, numerous technical details have been set forth in order to provide a better understanding of the present application. However, the technical solutions claimed in the present application can be implemented without these technical details and with various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not be construed as limiting the specific implementation of the present invention, and the embodiments can be mutually combined and referred to without contradiction.
The first embodiment of the invention relates to an auditing method which is applied to a client, wherein the client can be an SSH client which is in communication connection with a remote server, and a user can control the remote server through the SSH client to interact commands and data with the remote server.
A specific flow of the auditing method of this embodiment is shown in fig. 1.
Step 101, receiving interaction data input by a user, and judging whether the interaction data is a command ending symbol. If not, go to step 102; if yes, go to step 103.
Specifically, the user can input interactive data through external equipment connected with the client, such as a mouse, a keyboard and the like, the interactive data comprise command data, non-command data and the like, the client can traverse the interactive data input by the user, and when receiving each interactive data input by the user, the client judges whether the interactive data is a command ending symbol or not; if the current interactive data is not the command ending symbol, the user is still inputting the interactive data, and the step 102 is entered; if the current interactive data is the command ending symbol, the user input is completed, and the process proceeds to step 103. The command terminator is, for example, ASCII code 13.
And step 103, obtaining an operation command according to the received interaction data.
Specifically, for a complete operation command, the operation command includes a plurality of characters, and the client may buffer the received interaction data, and assemble an operation command according to the plurality of interaction data between the buffered last command ending symbol and the current command ending symbol.
Specifically, judging whether the assembled operation command is matched with a preset dangerous command condition, namely auditing the operation command, when judging that the operation command is matched with the preset dangerous command condition, indicating that the operation command is audited to have risk, and entering step 105; when it is determined that the operation command does not match with the preset dangerous command condition, it is indicated that there is no risk in auditing the operation command, and step 102 is entered to send the interactive data to the server, that is, the command ending symbol is sent to the server, and when the server receives the command ending symbol, the server can also assemble and execute the operation command. When the server does not receive the command terminator, the server does not execute the operation command.
Specifically, when the client determines that the operation command input by the user is at risk, the client sends an interrupt command for blocking the execution of the operation command to the server (i.e., the remote server), and the server does not execute the operation command after receiving the interrupt command; in addition, the server may also clear the plurality of interaction data that have been received to make up the operation command when receiving the interrupt command.
The following description will take an example in which the operation command X includes four command data of ABCD.
The client receives four command data of the ABCD, which are sequentially input by a user, analyzes each command data, and when the analysis of the interactive data is normal, sends the interactive data to the server, and at the moment, the four interactive data of the ABCD are all sent to the server, but the server does not receive a command ending symbol, so that the operation command X is not executed; when receiving a command ending symbol input by a user, the client assembles the four interactive data of the ABCD into an operation command X, judges whether the operation command X is matched with a preset dangerous command condition, namely, whether the operation command X is at risk or not is audited, and when judging that the operation command X is not matched with the preset dangerous command condition, the operation command X is audited to be at risk, and the command ending symbol is sent to the server, so that the server can assemble the four interactive data of the ABCD into the operation command X and execute the operation command X; when the operation command X is judged to be matched with the preset dangerous command condition, the operation command X is audited to have risk, an interrupt command is sent to the server, and the server can clear the four interactive data of the ABCD, so that the operation command X cannot be executed.
Compared with the prior art, the method and the device for processing the interactive data of the client are improved, when the client receives the interactive data input by the user, the client firstly judges whether the interactive data is an ending command symbol, and if the interactive data is not the command ending symbol, the command data is sent to the server; if the interactive data is a command ending symbol, an operation command is obtained according to the received interactive data, whether the operation command is matched with a preset dangerous command condition or not is judged, namely whether the operation command is at risk or not is audited, when the operation command is judged to be matched with the preset dangerous command condition, the risk of auditing the operation command is indicated, the operation command cannot be executed by the server, and at the moment, an interrupt command for blocking the execution of the operation command is sent to the server, so that the execution of the operation command by the server is blocked. The method can audit the operation command input by the user in real time, and complete blocking before the server executes the operation command with risk, so that accidents can be prevented in advance, and the safety of data on the server is ensured. Meanwhile, the auditing process is not felt by the user, the interactive data input by the user cannot be modified, and the interactive operation between the client and the server is not affected.
A second embodiment of the invention is directed to an auditing method. The second embodiment is substantially the same as the first embodiment, and differs mainly in that: in a second embodiment of the present invention, a specific implementation of determining whether an operation command matches a preset dangerous command condition is provided.
In this embodiment, the dangerous command condition includes at least one regular expression (regular expression). Specifically, a rule base is set in the client, and at least one regular expression is preset in the rule base.
In one example, the dangerous command condition further includes a target object in one-to-one correspondence with each regular expression. Specifically, each regular expression has a configuration item, and the configuration item is used for storing information of a target object corresponding to the regular expression, wherein the target object can be a user, a server and the like, and the information of the target object can be type information, address information and the like. At this time, the client can set to audit specific users or specific servers when conducting audit, so that real-time audit of target objects with different granularities is realized.
A specific flow of the auditing method of this embodiment is shown in fig. 2.
Step 201 to step 203 are substantially the same as step 101 to step 103, step 205 is substantially the same as step 105, and will not be described herein, wherein the main difference is that step 204 comprises the following sub-steps:
sub-step 2041, determines whether the operation command matches any regular expression. If so, go to sub-step 2042; if not, go to step 202.
Specifically, a plurality of regular expressions are generally preset in the rule base, after an operation command is obtained, the client audits the operation command, judges whether any regular expression in the rule base is matched with the operation command, and if yes, enters a substep 2042; if it is determined that the operation command is not risky, the process proceeds to step 202, where the interactive data is transmitted to the server, that is, the command ending symbol is transmitted to the server, and when the command ending symbol is received by the server, the operation command can be assembled and executed as well.
In one example, the determination of whether the rule file is updated may be added before sub-step 2041 is performed to determine whether the operation command matches any of the regular expressions, thereby enabling updated regular expressions to be updated into the rule base when the rule file is updated.
And step 2042, judging whether the client is matched with the target object corresponding to any regular expression. If yes, go to step 205; if not, go to step 202.
Specifically, for a regular expression matched with an operation command, acquiring a configuration item of the regular expression, obtaining a target object corresponding to the regular expression, taking the target object as type information as an example, if the type of the client is in the type information, judging that the client is matched with the target object corresponding to any regular expression, auditing that the operation command has risk, entering step 205, and sending an interrupt command for blocking the execution of the operation command to a server so as to block the execution of the operation command by the server; otherwise, it is determined that the client does not match with the target object corresponding to the regular expression, and it is audited that the operation command does not have a risk, and step 202 is entered to send the interaction data to the server, that is, the command ending symbol is sent to the server, and when the server receives the command ending symbol, the server can also assemble and obtain the operation command and execute the operation command.
In this embodiment, compared to the first embodiment, a specific implementation manner of determining whether the operation command matches the preset dangerous command condition is provided.
A third embodiment of the invention is directed to an auditing method. The third embodiment is substantially the same as the first embodiment, and differs mainly in that: in the third embodiment of the present invention, non-command data having a large data processing amount in interactive data can be excluded.
A specific flow of the auditing method of this embodiment is shown in fig. 3.
Step 308 and step 309 are substantially the same as step 104 to step 105, and are not described herein, and the main difference is that:
Specifically, the user may input the interaction data through the external device connected to the client, for example, a mouse, a keyboard, and the like, where the interaction data includes command data and non-command data, and the client may traverse the interaction data input by the user, determine whether the interaction data is command data when each interaction data input by the user is received, and if the interaction command is command data, enter step 302 to determine whether the interaction data is a command ending symbol, that is, determine whether the user inputs a command; if the interactive command is non-command data, ignoring the currently input non-command data, setting a command flag bit of the non-command data until the non-command data is processed, for example, the non-command data contains a character string of-INSERT-, indicating that the current VI/VIM editing state is present, setting a state flag bit representing the editing state until the editing state is exited, and clearing the state flag bit representing the editing state; for example, the interactive data represents that the file is currently in an RZ transmission file state, represents that the file is being transmitted, sets a state flag bit representing the transmission file state, and clears the state flag bit representing the transmission file state until the file is transmitted; and when the data returned by the server contains a key character string for indicating the end of file transmission, indicating the end of file transmission.
Specifically, it is determined whether the command data input by the user is a command ending symbol, if not, it is determined that the user is still inputting interactive data, and the process proceeds to step 303; if yes, the step 306 is entered after the user input is completed.
Specifically, the command data includes single characters, such as a, b, c, etc., and command characters, which may be: tab character, up character string, down character string, etc., if it is determined that the command data is a command character, step 304 is entered, and if it is determined that the command data is not a command character, step 305 is entered to transmit the interactive data to the server.
Specifically, different command characters correspond to different status flags, for example, tab characters correspond to status flags for acquiring a complement command, up character strings and down character strings correspond to status flags for acquiring a history command, and when tab characters are sent to a server, acquired return data include the complement command corresponding to the command currently input by a user; when the up character string and the down character string are sent to the server, the acquired return data includes the last history command input by the user.
If the command data input by the user is a single character, the interactive data is also required to be sent to the server, and the server will not return corresponding return data.
Specifically, taking a complete operation command to be input by a user as a config as an example, the user sequentially inputs c, o, n, f four single characters, then inputs a tab key, at this time, the client sets a current state bit to be a state flag bit for acquiring a complement command, then sends tab key characters to the server, the complement command config is included in return data returned by the server, and the client automatically complements the operation command config currently input by the user according to the return data returned by the server.
In the present embodiment, compared with the first embodiment, it is possible to exclude non-command data having a large data processing amount from the interactive data, that is, to exclude a large amount of interactive process data belonging to the non-command data, and to determine only the operation command composed of the interactive data belonging to the command data.
A fourth embodiment of the invention is directed to an auditing method. The fourth embodiment is substantially the same as the first embodiment, and differs mainly in that: in a fourth embodiment of the present invention, cursor information of interactive data is recorded.
The specific flow of the auditing method of this embodiment is shown in fig. 4.
The steps 404 and 405 are substantially the same as the steps 104 and 105, and are not described herein, and the main differences are as follows:
And step 402, recording cursor information corresponding to the interactive data, and sending the interactive data to a server.
Specifically, when the interactive data input by the user needs to move characters, such as backspace characters, deleted characters and left and right moving characters, current cursor information is recorded according to the moving position of the cursor, the cursor information is a cursor value, and the position of the cursor can be simulated; if the user inputs the interrupt character, the command cache is emptied and the cursor value is updated to 0; otherwise, if the user inputs a simple single character, the cursor information is updated.
Specifically, according to cursor information of interactive data recorded by a user, each interactive data is spliced to obtain a temporary command, and when an end command character input by the user is received, the current temporary command is an operation command.
Compared with the first embodiment, the present embodiment records the cursor information of the interactive data, and the cursor information can simulate the position of the cursor, so that when the operation command is acquired, the position of the interactive data can be combined, so that when the user moves the cursor input, the position of each interactive data can be accurately known, and the accurate operation command can be acquired.
A fifth embodiment of the invention is directed to an auditing method. The fifth embodiment is substantially the same as the first embodiment, and differs mainly in that: in a fifth embodiment of the present invention, a monitoring mode is added to the client.
A specific flow of the auditing method of this embodiment is shown in fig. 5.
The steps 501 to 503 are substantially the same as the steps 101 to 103, and are not described herein, and the main differences are that:
Specifically, the client can preset a monitoring mode lasting for a certain period of time in an initial stage of operation, and still send a command ending symbol to the server if the client judges that the operation command is matched with a preset dangerous command condition in the monitoring mode, so that the operation command can be recorded at the moment, whether the operation command is at risk or not is judged manually, if the operation command is determined to be at risk manually, the dangerous command condition is not required to be modified, and the execution of the operation command can be automatically blocked when the monitoring mode is ended; meanwhile, when the operation command is determined to be free of risk manually, the operation command can be removed manually in dangerous command conditions.
In this embodiment, the monitoring mode is preset in the client, so that the dangerous command condition is adjusted manually through the judgment result of the operation command in the monitoring mode, and error blocking is avoided to a certain extent.
A sixth embodiment of the invention is directed to an auditing method. The sixth embodiment is substantially the same as the first embodiment, and differs mainly in that: in a sixth embodiment of the present invention, an operation command received by a client is recorded in real time.
A specific flow of the auditing method of this embodiment is shown in fig. 6.
The steps 601 to 603 are substantially the same as the steps 101 to 103, the steps 608 and 609 are substantially the same as the steps 104 and 105, and the main differences are that:
In one example, after step 604, further comprising:
Specifically, after the client acquires the complete operation command, a command log is generated, where the command log may be a json format command log, and includes: client name, user name, server name, SSH source, server IP and the operation command.
Then judging whether a key file exists in the client, if so, reading a key in the key file, encrypting the command log by using the key, and storing the encrypted command log to the local; if not, the command log file is directly stored locally.
Compared with the first embodiment, the method and the device have the advantages that the operation command received by the client is recorded in real time, and the operation command received by the client can be conveniently and retrospectively audited.
The above steps of the methods are divided, for clarity of description, and may be combined into one step or split into multiple steps when implemented, so long as they include the same logic relationship, and they are all within the protection scope of this patent; it is within the scope of this patent to add insignificant modifications to the algorithm or flow or introduce insignificant designs, but not to alter the core design of its algorithm and flow.
The seventh embodiment of the invention relates to an auditing device, which is applied to a client, wherein the client can be an SSH client which is in communication connection with a remote server, and a user can control the remote server through the SSH client to interact commands and data with the remote server. Referring to fig. 7, the auditing apparatus includes:
the command acquisition module 1 is configured to receive the interaction data input by the user, and send the interaction data to the server when the interaction data is not a command ending symbol.
The command obtaining module 1 is further configured to obtain an operation command according to the received interaction data when the interaction data is a command terminator.
The auditing module 2 is used for judging whether the operation command is matched with a preset dangerous command condition.
The sending module 3 is configured to send an interrupt command for blocking execution of the operation command to the server to block execution of the operation command by the server when the operation command matches the dangerous command condition.
Since the first to sixth embodiments correspond to the present embodiment, the present embodiment can be implemented in cooperation with the first to sixth embodiments. The relevant technical details mentioned in the first to sixth embodiments are still valid in the present embodiment, and the technical effects achieved in the first to sixth embodiments may be achieved in the present embodiment as well, and in order to reduce repetition, a detailed description is omitted here. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first to sixth embodiments.
An eighth embodiment of the present invention relates to a client, which may be an SSH client, and is communicatively connected to a remote server, and a user may control the remote server through the SSH client, and perform command and data interaction with the remote server.
The client comprises: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the auditing method of any of the first to sixth embodiments.
Where the memory and the processor are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting the various circuits of the one or more processors and the memory together. The bus may also connect various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or may be a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over the wireless medium via the antenna, which further receives the data and transmits the data to the processor.
The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory may be used to store data used by the processor in performing operations.
A ninth embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program implements the above-described method embodiments when executed by a processor.
That is, it will be understood by those skilled in the art that all or part of the steps in implementing the methods of the embodiments described above may be implemented by a program stored in a storage medium, where the program includes several instructions for causing a device (which may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps in the methods of the embodiments described herein. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples of carrying out the invention and that various changes in form and details may be made therein without departing from the spirit and scope of the invention.
Claims (7)
1. An auditing method, characterized by being applied to a client, the method comprising:
receiving interaction data input by a user, and judging whether the interaction data is a command ending symbol or not;
if the interactive data is not the command ending symbol, sending the interactive data to a server; if the interactive data is a command ending symbol, obtaining an operation command according to the received interactive data;
judging whether the operation command is matched with a preset dangerous command condition or not;
if the operation command is matched with the dangerous command condition, sending an interrupt command for blocking the execution of the operation command to the server so as to block the execution of the operation command by the server;
the dangerous command condition comprises at least one regular expression and target objects corresponding to the regular expressions one by one; the judging whether the operation command is matched with a preset dangerous command condition or not comprises the following steps: judging whether the operation command is matched with any regular expression;
if the operation command is matched with any regular expression, judging whether the client is matched with a target object corresponding to any regular expression;
if the client is matched with a target object corresponding to any regular expression, judging that the operation command is matched with the dangerous command condition;
wherein after receiving the interactive data input by the user, the method further comprises the following steps: judging whether the received interaction data is command data or not; if the interactive data is command data, entering the step of judging whether the interactive data is command ending symbol;
wherein before the interactive data is sent to the server, the method further comprises: judging whether the command data is a command character or not; if the command data are command characters, setting a state flag bit corresponding to the command data; if the command data is not a command character, the interactive data is sent to a server;
after the interactive data is sent to the server, the method further comprises: receiving return data corresponding to the command data returned by the server; if the command data is not a command character, the server does not provide the return data;
and obtaining an operation command according to the received interaction data, wherein the operation command comprises the following steps: and obtaining the operation command according to the interaction data, the status flag bits corresponding to the command data and the return data corresponding to the command data.
2. The auditing method of claim 1, further comprising, prior to the sending the interaction data to a server:
recording cursor information corresponding to the interaction data;
and obtaining an operation command according to the received interaction data, wherein the operation command comprises the following steps:
and obtaining the operation command according to the received interaction data and the cursor information corresponding to each interaction data.
3. The auditing method of claim 1, further comprising, after determining that the operating command matches the dangerous command condition:
judging whether the client is in a monitoring mode or not;
if the client is in the monitoring mode, sending the command ending symbol to the server;
and if the client is in the non-monitoring mode, entering the step of sending an interrupt command for blocking the execution of the operation command to the server.
4. An auditing method according to claim 1, characterised in that the method further comprises:
forming a command log corresponding to the operation command according to a preset format;
and storing the command log locally.
5. The auditing method of claim 4, further comprising, prior to locally storing the command log:
judging whether a key file exists in the client;
if a key file exists in the client, encrypting the command log according to the key file;
the step of locally storing the command log includes:
and carrying out local storage on the encrypted command log.
6. An auditing apparatus, for application to a client, the apparatus comprising:
the command acquisition module is used for receiving the interactive data input by the user and sending the interactive data to the server when the interactive data is not a command ending symbol;
the command acquisition module is further configured to obtain an operation command according to the received interaction data when the interaction data is a command ending symbol;
the auditing module is used for judging whether the operation command is matched with a preset dangerous command condition or not;
a sending module, configured to send an interrupt command for blocking execution of the operation command to the server when the operation command matches the dangerous command condition, so as to block the server from executing the operation command;
the dangerous command condition comprises at least one regular expression and target objects corresponding to the regular expressions one by one; the judging whether the operation command is matched with a preset dangerous command condition or not comprises the following steps: judging whether the operation command is matched with any regular expression;
if the operation command is matched with any regular expression, judging whether the client is matched with a target object corresponding to any regular expression;
if the client is matched with a target object corresponding to any regular expression, judging that the operation command is matched with the dangerous command condition;
wherein after receiving the interactive data input by the user, the method further comprises the following steps: judging whether the received interaction data is command data or not; if the interactive data is command data, entering the step of judging whether the interactive data is command ending symbol;
wherein before the interactive data is sent to the server, the method further comprises: judging whether the command data is a command character or not; if the command data are command characters, setting a state flag bit corresponding to the command data; if the command data is not a command character, the interactive data is sent to a server;
after the interactive data is sent to the server, the method further comprises: receiving return data corresponding to the command data returned by the server; if the command data is not a command character, the server does not provide the return data;
and obtaining an operation command according to the received interaction data, wherein the operation command comprises the following steps: and obtaining the operation command according to the interaction data, the status flag bits corresponding to the command data and the return data corresponding to the command data.
7. A client, comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the auditing method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010147638.3A CN111404889B (en) | 2020-03-05 | 2020-03-05 | Audit method and device and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010147638.3A CN111404889B (en) | 2020-03-05 | 2020-03-05 | Audit method and device and client |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111404889A CN111404889A (en) | 2020-07-10 |
| CN111404889B true CN111404889B (en) | 2023-06-09 |
Family
ID=71413201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010147638.3A Active CN111404889B (en) | 2020-03-05 | 2020-03-05 | Audit method and device and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404889B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112232785A (en) * | 2020-10-29 | 2021-01-15 | 哈尔滨学院 | Intelligent operation audit robot system based on big data |
| CN112346791B (en) * | 2020-11-25 | 2022-07-15 | 中盈优创资讯科技有限公司 | AAA-based dangerous command identification and shielding method and device |
| CN113472733B (en) * | 2021-05-07 | 2022-11-22 | 北京东方通软件有限公司 | Internet-oriented security audit method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2161669A1 (en) * | 2008-09-09 | 2010-03-10 | Chattensoft e.K. | Method for automating data transfer between a user's terminal and a website provided from an external server |
| JP2016057869A (en) * | 2014-09-10 | 2016-04-21 | 日本電気株式会社 | Command execution system, client device, server device, and command execution method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7707269B2 (en) * | 2005-11-02 | 2010-04-27 | Nortel Networks Limited | Interfacing between a command line interface-based application program and a remote network device |
| CN102546606B (en) * | 2011-12-23 | 2014-12-31 | 华为数字技术(成都)有限公司 | Telnet command filter method, network safety device and network safety system |
| CN102571774B (en) * | 2011-12-27 | 2015-10-21 | 浙江省电力公司 | A kind of character operating command identification method and device |
| CN103973782A (en) * | 2014-04-29 | 2014-08-06 | 上海上讯信息技术股份有限公司 | Operation and maintenance operation control system and method based on blacklist command setting |
| CN105139139B (en) * | 2015-08-31 | 2018-12-21 | 国家电网公司 | Data processing method and device and system for O&M audit |
| KR101780764B1 (en) * | 2017-03-20 | 2017-09-22 | 주식회사 넷앤드 | An unauthorized command control method by the access control system for enhancing server security |
-
2020
- 2020-03-05 CN CN202010147638.3A patent/CN111404889B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2161669A1 (en) * | 2008-09-09 | 2010-03-10 | Chattensoft e.K. | Method for automating data transfer between a user's terminal and a website provided from an external server |
| JP2016057869A (en) * | 2014-09-10 | 2016-04-21 | 日本電気株式会社 | Command execution system, client device, server device, and command execution method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111404889A (en) | 2020-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111404889B (en) | Audit method and device and client | |
| US20190121721A1 (en) | Identity Propagation through Application Layers Using Contextual Mapping and Planted Values | |
| CN110659202A (en) | Client automatic testing method and device | |
| JP5102556B2 (en) | Log analysis support device | |
| CN112385196A (en) | System and method for reporting computer security incidents | |
| CN114024884A (en) | Test method, test device, electronic equipment and storage medium | |
| EP2107484A2 (en) | A method and device for code audit | |
| CN114928493A (en) | Threat attack big data-based threat information generation method and AI safety system | |
| US20160050135A1 (en) | Real-time measurement of user interface performance in a remote desktop environment | |
| JP5102555B2 (en) | Log analysis support device | |
| CN112015715A (en) | Industrial Internet data management service testing method and system | |
| CN114448614A (en) | Weak password detection method, device, system and storage medium | |
| Lee et al. | Collecting big data from automotive ECUs beyond the CAN bandwidth for fault visualization | |
| JP5069057B2 (en) | Log analysis support device | |
| WO2024070153A1 (en) | Confidential information processing device, method for operating same, and data transmission/reception system | |
| CN117687890B (en) | Abnormal operation identification method, system, medium and equipment based on operation log | |
| CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
| CN115757191B (en) | Data processing method and device | |
| CN112861093B (en) | Verification method, device and equipment for access data and storage medium | |
| CN109901997B (en) | Financial system upgrading method and device, electronic equipment and storage medium | |
| US9342522B2 (en) | Computer implemented system for analyzing a screen-based user session of a process in a network environment | |
| CN113581257B (en) | Information monitoring method and device, storage medium and electronic equipment | |
| CN109194609B (en) | Method and device for detecting vulnerability file | |
| CN118713924A (en) | Port security automatic test method, device, equipment and storage medium | |
| CN114647426A (en) | Software upgrading method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |