技术领域technical field
本发明涉及一种网络信息安全领域,特别是涉及一种Linux主机接入网络系统安全增强方法。The invention relates to the field of network information security, in particular to a method for enhancing the security of a Linux host accessing a network system.
背景技术Background technique
信息系统安全等级保护是我国实行的一项信息系统安全保障制度,国家制定了相关的标准和法规,信息系统安全等级保护标准从物理安全、网络安全、主机安全、应用安全和数据安全等五个方面提出了基本要求。这里的主机安全是指接入网络系统的计算机安全,也是信息系统安全的重要组成部分。Information system security level protection is an information system security guarantee system implemented in my country. The country has formulated relevant standards and regulations. Basic requirements are put forward. Host security here refers to the security of computers connected to the network system, and is also an important part of information system security.
主机上所使用的操作系统主要有Windows和Linux,因此将采用Windows操作系统的计算机称为Windows主机,将采用Linux操作系统的计算机称为Linux主机。目前,接入网络系统的计算机主要是Windows主机。随着基于Linux内核的国产操作系统的推广应用,接入网络系统的Linux主机将会越来越多,Linux主机安全越来越受到人们关注和重视。The operating systems used on the host mainly include Windows and Linux, so the computer using the Windows operating system is called the Windows host, and the computer using the Linux operating system is called the Linux host. At present, the computers connected to the network system are mainly Windows hosts. With the popularization and application of domestic operating systems based on the Linux kernel, more and more Linux hosts will be connected to the network system, and the security of Linux hosts will be more and more concerned and valued by people.
虽然Linux操作系统内部提供了一定的安全机制,但是它采用的是自主型安全策略,由用户自主选择是否采用安全机制及其安全强度,这种自主型安全策略比较适合在单机环境下使用。而在网络环境下应用时,Linux主机需要接入网络信息系统,主机用户的任何违规操作行为都会危及到网络信息系统安全。因此,在高级别的信息系统安全等级保护中,需要通过部署Linux主机接入安全增强系统来增强Linux主机安全性,通过全局安全策略,对所有接入网络信息系统的Linux主机用户的系统登录、外设使用、网络通信等操作行为进行安全监控和审计,增强用户操作行为的可信性、可控性以及可追溯性,提升了网络信息系统安全保障水平。Although the Linux operating system provides a certain security mechanism, it adopts an autonomous security strategy. Users can independently choose whether to use the security mechanism and its security strength. This autonomous security strategy is more suitable for use in a stand-alone environment. When applied in a network environment, the Linux host needs to be connected to the network information system, and any illegal operation by the host user will endanger the security of the network information system. Therefore, in the high-level information system security level protection, it is necessary to deploy the Linux host access security enhancement system to enhance the security of the Linux host. Through the global security policy, the system login, The use of peripherals, network communication and other operational behaviors are monitored and audited for safety, which enhances the credibility, controllability and traceability of user operation behaviors, and improves the security level of network information systems.
Linux主机安全增强技术主要是对单机环境下应用的Linux操作系统进行安全增强,并不涉及网络环境下的Linux主机接入安全增强问题。The Linux host security enhancement technology is mainly to enhance the security of the Linux operating system applied in the stand-alone environment, and does not involve the security enhancement of Linux host access in the network environment.
文献1“Linux主机安全系统的研究与实现,信息技术,Vol.27,No.7,2003,pp.12-16”公开了一种Linux主机安全系统,将防火墙对网络信息的处理和操作系统中用户使用资源的访问控制紧密结合起来,让防火墙模块和操作系统配合起来协同工作,从而对主机进行更为完善的保护。Document 1 "Research and Implementation of Linux Host Security System, Information Technology, Vol.27, No.7, 2003, pp.12-16" discloses a Linux host security system, which integrates the processing of network information by the firewall and the operating system The access control of resources used by users in the network is closely combined, and the firewall module and the operating system work together to provide more complete protection for the host.
文献2“基于Linux主机身份验证系统的研究与实现,计算机工程,Vol.32,No.13,2006,pp.185-186,189”公开了一种Linux主机身份验证系统,通过修改内核源代码,结合计算机硬件加密卡,实施基于策略的强制访问控制,实现了一个基于Linux2.6.x内核的主机身份验证系统。Document 2 "Research and Implementation of Authentication System Based on Linux Host, Computer Engineering, Vol.32, No.13, 2006, pp.185-186, 189" discloses a Linux host authentication system, by modifying the kernel source code, combining Computer hardware encryption card implements policy-based mandatory access control and realizes a host authentication system based on Linux2.6.x kernel.
以上两个文献均不涉及对接入网络系统的Linux主机用户行为进行安全监控和审计问题。Neither of the above two documents involves the security monitoring and auditing of the behavior of Linux host users accessing the network system.
发明内容Contents of the invention
为了克服现有Linux主机接入网络系统安全性差的不足,本发明提供一种Linux主机接入网络系统安全增强方法。该方法在网络系统中设置一个安全监控中心,安全监控中心的计算机上安装并运行安全监控中心软件,负责统一设置和管理网络中所有Linux主机的全局安全策略,并对每个Linux主机的安全状态进行监控和审计。全局安全策略包括各个Linux主机的系统登录策略、外设使用策略和网络通信策略,并通过网络将全局安全策略下发给相应的Linux主机执行。每个Linux主机安装并运行经过安全增强的Linux操作系统,按照全局安全策略对用户的系统登录、外设使用、网络通信等操作行为进行安全监控和审计。本发明通过部署和运行Linux主机接入安全增强系统,对所有接入网络系统的Linux主机用户的系统登录、外设使用、网络通信等操作行为进行安全监控和审计,能够及时发现并阻断用户的违规行为,增强了用户操作行为的可信性、可控性以及可追溯性,可以提高接入主机以及网络信息系统的安全性。In order to overcome the disadvantage of poor security of the existing Linux host access network system, the invention provides a method for enhancing the security of the Linux host access network system. The method sets up a security monitoring center in the network system, and the security monitoring center software is installed and run on the computer of the security monitoring center, which is responsible for uniformly setting and managing the global security policies of all Linux hosts in the network, and checking the security status of each Linux host Conduct monitoring and auditing. The global security policy includes the system login policy, peripheral use policy and network communication policy of each Linux host, and the global security policy is sent to the corresponding Linux host through the network for execution. Each Linux host installs and runs a security-enhanced Linux operating system, and conducts security monitoring and auditing of user system login, peripheral use, network communication, and other operational behaviors in accordance with the global security policy. By deploying and running the Linux host access security enhancement system, the present invention monitors and audits the system login, peripheral use, network communication and other operating behaviors of all Linux host users accessing the network system, and can detect and block users in time violations, enhance the credibility, controllability, and traceability of user operations, and can improve the security of access hosts and network information systems.
本发明解决其技术问题所采用的技术方案是:一种Linux主机接入网络系统安全增强方法,其特点是采用以下步骤:The technical solution adopted by the present invention to solve the technical problem is: a method for enhancing the security of a Linux host access network system, which is characterized in that the following steps are adopted:
(1)在网络系统中,设置一个称为安全监控中心的计算机,在所述计算机上安装并运行安全监控中心软件,负责统一设置和管理网络中所有Linux主机的全局安全策略,并对每个Linux主机的安全状态进行监控和审计。全局安全策略包括各个Linux主机的系统登录策略、外设使用策略和网络通信策略,并通过网络将全局安全策略下发给相应的Linux主机执行。(1) In the network system, set a computer called the safety monitoring center, install and run the safety monitoring center software on the computer, be responsible for uniformly setting and managing the global security policy of all Linux hosts in the network, and for each The security status of Linux hosts is monitored and audited. The global security policy includes the system login policy, peripheral use policy and network communication policy of each Linux host, and the global security policy is sent to the corresponding Linux host through the network for execution.
(2)每个Linux主机安装并运行经过安全增强的Linux操作系统,按照全局安全策略对用户的系统登录、外设使用以及网络通信操作行为进行安全监控和审计。对Linux操作系统的安全增强包括如下几个方面:(2) Each Linux host installs and runs a security-enhanced Linux operating system, and conducts security monitoring and auditing of the user's system login, peripheral use, and network communication operations in accordance with the global security policy. Security enhancements to the Linux operating system include the following aspects:
①按照系统登录策略对Linux主机用户的系统登录行为进行强制性监控,系统将分两种情况进行处理:①According to the system login policy, the system login behavior of Linux host users is mandatory monitored, and the system will handle it in two cases:
a.对于用户的首次系统登录行为,系统首先检查登录时间是否符合系统登录策略中规定的时间窗口,如果不符合则禁止登录,并给出警告信息;如果符合则提示用户输入初始的用户名和口令,然后进行用户身份鉴别。如果身份鉴别为真则允许登录,然后提示用户更改初始口令,并对用户输入的新口令进行检查,判别新口令字符串长度和复杂度是否符合系统登录策略中规定的口令长度和复杂度要求,符合则修改成功;不符合则需要重新输入新口令,直到符合要求为止;如果身份鉴别为假则拒绝登录,并检查登录失败次数是否达到系统登录策略中规定的最大尝试登录失败次数,如果未达到则允许用户继续尝试登录,如果达到则禁止用户继续尝试登录,系统进入屏幕锁定状态,保留尝试登录的屏幕状态。a. For the user's first system login behavior, the system first checks whether the login time conforms to the time window specified in the system login policy, if not, the login is prohibited and a warning message is given; if it does, the user is prompted to enter the initial user name and password , and then authenticate the user. If the identity authentication is true, the login is allowed, and then the user is prompted to change the initial password, and the new password entered by the user is checked to determine whether the length and complexity of the new password string meet the password length and complexity requirements specified in the system login policy. If it meets the requirements, the modification is successful; if it does not meet the requirements, you need to re-enter the new password until it meets the requirements; if the identity authentication is false, you will refuse to log in, and check whether the number of login failures reaches the maximum number of failed login attempts specified in the system login policy. The user is allowed to continue to try to log in, and if the value is reached, the user is prohibited from continuing to try to log in, the system enters the screen lock state, and the state of the screen that is trying to log in is retained.
b.对于用户的非首次系统登录行为,系统首先检查登录时间是否符合系统登录策略中规定的时间窗口,如果不符合则禁止登录,并给出警告信息;如果符合则提示用户输入用户名和口令,然后进行用户身份鉴别,如果身份鉴别为真则允许登录,并判别口令使用周期是否达到系统登录策略中规定的最大口令更新周期,如果达到则提示用户输入新口令,并对新口令的长度和复杂度进行检查,直到用户输入符合要求的新口令为止;如果身份鉴别为假则拒绝登录,并检查登录失败次数是否达到系统登录策略中规定的最大尝试登录失败次数,如果未达到则允许用户继续尝试登录,如果达到则禁止用户继续尝试登录,系统进入屏幕锁定状态,保留尝试登录的屏幕状态。b. For the user's non-first system login behavior, the system first checks whether the login time is in line with the time window specified in the system login policy. If it does not meet, the login is prohibited and a warning message is given; if it meets, the user is prompted to enter the user name and password. Then perform user identity authentication. If the identity authentication is true, login is allowed, and it is judged whether the password usage period reaches the maximum password update period specified in the system login policy. If so, the user is prompted to enter a new password, and the length and complexity of the new password are checked. Check the number of times until the user enters a new password that meets the requirements; if the identity authentication is false, the login is refused, and the number of failed login attempts reaches the maximum number of failed login attempts specified in the system login policy. If not, the user is allowed to continue trying Login, if reached, the user is prohibited from continuing to try to log in, the system enters the screen lock state, and the screen state of the attempt to log in is retained.
对成功和不成功的系统登录行为进行日志记录,记录的信息有登录用户名、登录日期和时间、登录失败次数以及是否更改口令,以便于事后取证和追踪。Log records of successful and unsuccessful system login behaviors. The recorded information includes login user name, login date and time, number of login failures, and whether to change the password, so as to facilitate evidence collection and tracking after the event.
②按照外设使用策略对用户的外设使用行为进行强制性监控,受监控的外部设备包括移动硬盘、移动优盘、光盘、打印机以及扫描仪,在外设使用策略中规定了每个主机允许使用的外部设备。对于用户的外设使用行为,系统从操作系统内核中捕获用户发出的外设使用请求,提取其中的特征参数,检查是否与外设使用策略中允许使用的外部设备相符合,如果不符合则拒绝使用,拦截该请求并报警;如果符合则允许使用,正常处理该请求,并做日志记录,记录的信息有设备类型、操作类型、文件名、日期和时间,以便于事后取证和追踪。②Compulsory monitoring of user's peripheral use behavior according to the peripheral use policy. The monitored external devices include mobile hard disks, mobile USB flash drives, CDs, printers, and scanners. The peripheral use policies stipulate that each host is allowed to use external device. For the user's peripheral use behavior, the system captures the peripheral use request sent by the user from the operating system kernel, extracts the characteristic parameters, checks whether it conforms to the external devices allowed in the peripheral use policy, and rejects if not Use, intercept the request and call the police; if it matches, allow the use, process the request normally, and make a log record. The recorded information includes device type, operation type, file name, date and time, so as to facilitate evidence collection and tracking after the event.
③按照网络通信策略对用户的外设使用行为进行强制性监控,受监控的网络通信接口包括以太网接口、各种无线网接口、各种串行通信接口等,在网络通信策略中规定了每个主机允许使用的网络通信接口。对于用户的网络通信行为,系统从操作系统内核中捕获用户发出的网络通信请求,提取其中的特征参数,检查其网络通信接口是否与网络通信策略中允许使用的网络通信接口相符合,如果不符合则拒绝访问,拦截该请求并报警;如果符合则做进一步检查:③ According to the network communication strategy, the use behavior of the user's peripherals is compulsorily monitored. The monitored network communication interfaces include Ethernet interfaces, various wireless network interfaces, and various serial communication interfaces. The network communication interface that each host is allowed to use. For the user's network communication behavior, the system captures the network communication request sent by the user from the operating system kernel, extracts the characteristic parameters, and checks whether the network communication interface is consistent with the network communication interface allowed in the network communication policy. Then deny access, intercept the request and report to the police; if it matches, do further inspection:
a.提取数据包中的源IP地址、目的IP地址、源端口号、目的端口号以及协议类型信息,检查是否与网络通信策略中所规定的相符合,如果不符合则拒绝访问,拦截该请求并报警;如果符合则允许访问,正常处理该请求,将数据包输出到网络通信接口。a. Extract the source IP address, destination IP address, source port number, destination port number and protocol type information in the data packet, check whether it is consistent with what is specified in the network communication policy, if not, deny access and intercept the request And report to the police; if it matches, allow the access, process the request normally, and output the data packet to the network communication interface.
b.做日志记录,记录的信息有网络通信接口类型、物理地址、源IP地址、目的IP地址、源端口号、目的端口号、协议类型、日期和时间以及允许/拒绝信息,以便于事后取证和追踪。b. Make log records. The recorded information includes network communication interface type, physical address, source IP address, destination IP address, source port number, destination port number, protocol type, date and time, and permission/rejection information, so as to facilitate evidence collection after the event and track.
本发明的有益效果是:该方法在网络系统中设置一个安全监控中心,安全监控中心的计算机上安装并运行安全监控中心软件,负责统一设置和管理网络中所有Linux主机的全局安全策略,并对每个Linux主机的安全状态进行监控和审计。全局安全策略包括各个Linux主机的系统登录策略、外设使用策略和网络通信策略,并通过网络将全局安全策略下发给相应的Linux主机执行。每个Linux主机安装并运行经过安全增强的Linux操作系统,按照全局安全策略对用户的系统登录、外设使用、网络通信等操作行为进行安全监控和审计。本发明通过部署和运行Linux主机接入安全增强系统,对所有接入网络系统的Linux主机用户的系统登录、外设使用、网络通信等操作行为进行安全监控和审计,能够及时发现并阻断用户的违规行为,增强了用户操作行为的可信性、可控性以及可追溯性,从而提高了接入主机以及网络信息系统的安全性。The beneficial effect of the present invention is: this method is provided with a security monitoring center in network system, installs and runs security monitoring center software on the computer of security monitoring center, is responsible for the global security policy of all Linux mainframes in unified setting and management network, and to The security status of each Linux host is monitored and audited. The global security policy includes the system login policy, peripheral use policy and network communication policy of each Linux host, and the global security policy is sent to the corresponding Linux host through the network for execution. Each Linux host installs and runs a security-enhanced Linux operating system, and conducts security monitoring and auditing of user system login, peripheral use, network communication, and other operational behaviors in accordance with the global security policy. By deploying and running the Linux host access security enhancement system, the present invention monitors and audits the system login, peripheral use, network communication and other operating behaviors of all Linux host users accessing the network system, and can detect and block users in time violations, enhance the credibility, controllability, and traceability of user operations, thereby improving the security of access hosts and network information systems.
下面结合附图和具体实施方式对本发明作详细说明。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments.
附图说明Description of drawings
图1是本发明方法中系统登录行为监控流程图。Fig. 1 is a flow chart of system login behavior monitoring in the method of the present invention.
图2是本发明方法中外设使用行为监控流程图。Fig. 2 is a flow chart of peripheral device use behavior monitoring in the method of the present invention.
图3是本发明方法中网络通信行为监控流程流程图。Fig. 3 is a flow chart of network communication behavior monitoring in the method of the present invention.
具体实施方式Detailed ways
本发明所涉及的基本概念如下。The basic concepts involved in the present invention are as follows.
1.系统登录行为。1. System login behavior.
系统登录行为是指用户登录操作系统的操作行为,包括合法和非法的行为。通常,操作系统内部都提供了基于用户名和口令的身份鉴别机制,用于控制用户的系统登录行为。用户在登录操作系统前,必须事先通过操作系统的用户注册功能注册用户名和口令,成为合法用户后,才能登录操作系统。在用户登录时,必须输入正确的用户名和口令,系统根据用户名和口令进行身份鉴别,只有通过身份鉴别后才允许用户登录系统,否则拒绝用户登录系统。System login behavior refers to the operation behavior of users logging into the operating system, including legal and illegal behaviors. Usually, an authentication mechanism based on user name and password is provided inside the operating system to control the user's system login behavior. Before logging in to the operating system, the user must first register the user name and password through the user registration function of the operating system, and only after becoming a legal user can log in to the operating system. When the user logs in, he must enter the correct user name and password, and the system performs identity authentication based on the user name and password. Only after the identity authentication is passed, the user is allowed to log in to the system, otherwise the user is denied to log in to the system.
在实际应用中,如果用户使用了弱口令,则很容易被攻击者破解,假冒合法用户非法登录系统,执行非法操作。弱口令是指用户设置的口令存在着安全弱点,包括口令字符串长度过短、口令字符串组成过于简单、口令长期不更换等,容易引起口令泄露或被攻击者破解。In practical applications, if a user uses a weak password, it is easy to be cracked by an attacker, who can log in to the system illegally by pretending to be a legitimate user and perform illegal operations. Weak passwords refer to the security weaknesses of the passwords set by users, including the length of the password string is too short, the composition of the password string is too simple, and the password is not changed for a long time, etc., which may easily cause the password to be leaked or cracked by an attacker.
Linux操作系统内部虽然提供了基于用户名和口令的身份鉴别机制,但是比较简单,并且是自主型的,具有随意性,在登录系统时,用户可以选择设置口令或取消口令,甚至不设置口令,给主机安全带来一定的风险。这种自主型身份鉴别机制并不适合在高级别的信息系统安全保护中应用。Although the Linux operating system provides an identity authentication mechanism based on user name and password, it is relatively simple, and it is autonomous and arbitrary. When logging in to the system, the user can choose to set or cancel the password, or even not set the password. Host security brings certain risks. This autonomous identity authentication mechanism is not suitable for application in high-level information system security protection.
在高级别的信息系统安全保护中,要求主机系统应当提供系统登录行为监控机制,能够对用户的系统登录行为进行安全监控。系统登录行为监控机制应提供如下的功能:In the high-level information system security protection, the host system is required to provide a system login behavior monitoring mechanism, which can monitor the user's system login behavior. The system login behavior monitoring mechanism shall provide the following functions:
(1)用户登录系统时必须设置并输入口令,并且用户无法随意地取消口令,确保操作系统的身份鉴别机制能够有效地实施。(1) The user must set and enter a password when logging into the system, and the user cannot cancel the password at will, so as to ensure that the identity authentication mechanism of the operating system can be effectively implemented.
(2)提供口令限制措施,通过设置口令字符串最小长度、口令字符串复杂度、最大口令更新周期、最大尝试登录失败次数等参数,对口令进行限制,防止口令泄露或被轻易破解。(2) Provide password restriction measures. By setting parameters such as the minimum length of the password string, the complexity of the password string, the maximum password update cycle, and the maximum number of failed login attempts, the password is restricted to prevent the password from being leaked or easily cracked.
(3)提供系统登录时间窗口限制措施,通过日期和时间来设置允许登录的时间窗口,在时间窗口之外拒绝用户的系统登录行为。(3) Provide system login time window restriction measures, set the time window for allowing login by date and time, and reject the user's system login behavior outside the time window.
通过安全性增强,将Linux主机的自主型身份鉴别机制提升为强制型系统登录行为监控机制,提高Linux主机身份鉴别强度和安全性。Through security enhancement, the independent identity authentication mechanism of Linux hosts is upgraded to a mandatory system login behavior monitoring mechanism, and the strength and security of Linux host identity authentication are improved.
2.外设使用行为。2. Peripheral usage behavior.
外设使用行为是指用户使用外部设备的操作行为,包括合法和非法的行为。一些与信息输入输出相关的外部设备,如移动硬盘、移动优盘、光盘、打印机、扫描仪等,是人机交互接口和载体,也是病毒输入和信息泄露的主要渠道。为了提高主机安全性和可控性,需要对用户的外设使用行为进行安全监控,一方面要禁止使用未在安全策略中定义的外部设备,另一方面要对允许使用的外部设备及使用行为进行监控和记录,使其行为是可控和可追溯的。这就是外设使用行为监控机制。Peripheral device use behavior refers to the user's operation behavior of using external devices, including legal and illegal behaviors. Some external devices related to information input and output, such as mobile hard disks, mobile USB flash drives, CDs, printers, scanners, etc., are human-computer interaction interfaces and carriers, and are also the main channels for virus input and information leakage. In order to improve the security and controllability of the host, it is necessary to monitor the use behavior of the user's peripherals. On the one hand, the use of external devices not defined in the security policy must be prohibited; Monitor and record to make its behavior controllable and traceable. This is the peripheral usage behavior monitoring mechanism.
Linux操作系统内部并未提供这种外设使用行为监控机制,因此需要通过安全增强在Linux操作系统内部增加外设使用行为监控机制。The Linux operating system does not provide such a peripheral usage behavior monitoring mechanism, so it is necessary to add a peripheral usage behavior monitoring mechanism inside the Linux operating system through security enhancement.
3.网络通信行为。3. Network communication behavior.
网络通信行为是指用户的网络访问或数据通信的操作行为,包括合法和非法的行为。在主机上通常提供了多种网络通信接口,如以太网接口、无线网接口、串行通信接口等。在高安全保护级别的信息系统中,通常只允许采用某种特定的网络通信接口(一般为以太网接口)进行组网通信,而禁止其它的通信方式,防止其它通信方式成为不受控的隐通道或后门,形成安全威胁。为了提高主机安全性和可控性,需要对用户的网络通信行为进行安全监控,一方面要禁止使用未在安全策略中定义的网络通信接口,另一方面要对允许使用的网络通信接口及使用行为进行监控,禁止访问未在安全策略中定义的网站和信息系统,同时对网络访问行为进行记录,使其行为是可控和可追溯的。这就是网络通信行为监控机制。Network communication behavior refers to the user's network access or data communication operation behavior, including legal and illegal behaviors. A variety of network communication interfaces are usually provided on the host computer, such as Ethernet interface, wireless network interface, serial communication interface and so on. In an information system with a high level of security protection, it is usually only allowed to use a specific network communication interface (usually an Ethernet interface) for networking communication, while other communication methods are prohibited to prevent other communication methods from becoming uncontrolled hidden Passage or back door, posing a security threat. In order to improve the security and controllability of the host, it is necessary to monitor the user's network communication behavior. On the one hand, it is necessary to prohibit the use of network communication interfaces that are not defined in the security policy; Behavior monitoring, prohibiting access to websites and information systems not defined in the security policy, and recording network access behaviors to make their behaviors controllable and traceable. This is the network communication behavior monitoring mechanism.
Linux操作系统内部并未提供这种网络通信行为监控机制,因此需要通过安全增强在Linux操作系统内部增加网络通信行为监控机制。The Linux operating system does not provide such a network communication behavior monitoring mechanism, so it is necessary to add a network communication behavior monitoring mechanism inside the Linux operating system through security enhancement.
4.全局安全策略。4. Global security policy.
安全策略是指为建立信息系统安全环境所制定的一组安全规则,安全策略一般通过设置信息系统的安全机制和安全组件来实施,或者通过部署信息安全产品来实施。安全策略分为本地安全策略和全局安全策略,本地安全策略是指在一个主机上利用操作系统内部的安全机制和安全组件来设置安全规则,如身份鉴别、访问控制等,本地安全策略通常是自主型的,具有随意性,用户可以设置、可以不设置、可以取消、可严可松。全局安全策略是指按照一个信息系统的总体安全保护级别要求统一设置每个主机的安全策略,通过网络下发给各个主机强制执行,因此全局安全策略是强制型的,具有确定性,用户无法自行取消或更改。Security policy refers to a set of security rules formulated to establish a security environment for information systems. Security policies are generally implemented by setting security mechanisms and components of information systems, or by deploying information security products. Security policies are divided into local security policies and global security policies. Local security policies refer to using the internal security mechanism and security components of the operating system to set security rules on a host, such as identity authentication, access control, etc. Local security policies are usually autonomous. Type, with randomness, the user can set, can not set, can cancel, can be strict or loose. The global security policy refers to the uniform setting of the security policy for each host according to the overall security protection level requirements of an information system, which is issued to each host for enforcement through the network. Therefore, the global security policy is mandatory and deterministic, and users cannot Cancel or change.
Linux操作系统只提供了基于本地安全策略的安全保护机制,因此需要通过安全增强在Linux操作系统内部增加全局安全策略及其实现机制。The Linux operating system only provides a security protection mechanism based on local security policies, so it is necessary to add a global security policy and its implementation mechanism within the Linux operating system through security enhancement.
5.操作系统内核。5. Operating system kernel.
从系统组成结构上,Linux操作系统分为用户态和核心态,一般的应用程序主要运行在用户态,而系统内核和驱动程序则运行在核心态。应用程序可以通过操作系统提供的应用程序接口API来调用系统内核功能或安装设备驱动程序。In terms of system structure, the Linux operating system is divided into user mode and kernel mode. General applications mainly run in user mode, while system kernel and drivers run in core mode. The application program can call the system kernel function or install the device driver program through the application program interface API provided by the operating system.
安全增强是通过在操作系统上安装相应的安全增强程序来实现,安全增强程序分为两个部分,一部分运行在用户态,主要实现与用户的交互功能,包括用户登录界面、警告信息提示等;另一部分运行在核心态,主要实现用户操作行为的感知、捕获和控制等功能,以及全局安全策略的实现机制,也是安全增强实现的核心所在。The security enhancement is realized by installing the corresponding security enhancement program on the operating system. The security enhancement program is divided into two parts, one part runs in the user state, and mainly realizes the interaction function with the user, including the user login interface, warning message prompts, etc.; The other part runs in the core state, which mainly realizes functions such as perception, capture and control of user operation behaviors, as well as the realization mechanism of the global security policy, which is also the core of security enhancement implementation.
经过安全增强的系统内核需要重新编译后安装运行,操作系统便升级为支持全局安全策略的安全增强型操作系统。The security-enhanced system kernel needs to be recompiled before installation and operation, and the operating system is upgraded to a security-enhanced operating system that supports global security policies.
本发明通过开发两个软件系统来实施。The invention is implemented by developing two software systems.
一个软件系统为安全监控中心,主要提供各个Linux主机全局安全策略的设置和管理功能以及各个Linux主机安全状态监控和日志审计功能,安装和运行在信息网络中的一台计算机上。A software system is the security monitoring center, which mainly provides the setting and management functions of the global security policy of each Linux host, as well as the security status monitoring and log auditing functions of each Linux host, and is installed and run on a computer in the information network.
另一个软件系统为Linux操作系统安全增强程序,由两个部分组成:一部分运行在用户态,主要实现与用户的交互功能,包括用户登录界面、警告信息提示等;另一部分运行在核心态,主要实现用户操作行为的感知、捕获和控制等功能,以及全局安全策略的实现机制。经过安全增强的系统内核重新编译后安装并运行在每个Linux主机上,将主机操作系统升级为支持全局安全策略的安全增强型操作系统。Another software system is the security enhancement program of the Linux operating system, which is composed of two parts: one part runs in the user mode, which mainly realizes the interaction function with the user, including the user login interface, warning message prompts, etc.; the other part runs in the core mode, mainly Realize functions such as perception, capture and control of user operation behavior, as well as the implementation mechanism of global security policies. The security-enhanced system kernel is recompiled and then installed and run on each Linux host, upgrading the host operating system to a security-enhanced operating system that supports global security policies.
运行安全监控中心的计算机和各个Linux主机均接入到网络系统中,能够通过网络进行通信。管理员在安全监控中心上设置各个Linux主机全局安全策略并通过网络下发给各个Linux主机后,各个Linux主机就会按照其全局安全策略对用户的系统登录行为、外设使用行为和网络通信行为进行监控,增强了Linux主机用户操作行为的可信性、可控性以及可追溯性,提高了接入主机以及网络信息系统的安全性。The computer running the security monitoring center and each Linux host are connected to the network system and can communicate through the network. After the administrator sets the global security policy of each Linux host on the security monitoring center and sends it to each Linux host through the network, each Linux host will monitor the user's system login behavior, peripheral device usage behavior and network communication behavior according to its global security policy. Monitoring enhances the credibility, controllability and traceability of Linux host user operations, and improves the security of access hosts and network information systems.
参照图1-3。本发明Linux主机接入网络系统安全增强方法具体步骤如下:Refer to Figure 1-3. The specific steps of the Linux host access network system security enhancement method of the present invention are as follows:
(1)在网络系统中,设置一个称为安全监控中心的计算机,在该计算机上安装并运行安全监控中心软件,负责统一设置和管理网络中所有Linux主机的全局安全策略,并对每个Linux主机的安全状态进行监控和审计。全局安全策略包括各个Linux主机的系统登录策略、外设使用策略和网络通信策略,并通过网络将全局安全策略下发给相应的Linux主机执行。(1) In the network system, set up a computer called a security monitoring center, install and run the security monitoring center software on the computer, be responsible for uniformly setting and managing the global security policies of all Linux hosts in the network, and The security status of the host is monitored and audited. The global security policy includes the system login policy, peripheral use policy and network communication policy of each Linux host, and the global security policy is sent to the corresponding Linux host through the network for execution.
(2)每个Linux主机安装并运行经过安全增强的Linux操作系统,能够按照全局安全策略对用户的系统登录、外设使用、网络通信等操作行为进行安全监控和审计。对Linux操作系统的安全增强包括如下几个方面:(2) Each Linux host installs and runs a security-enhanced Linux operating system, which can monitor and audit the user's system login, peripheral use, network communication and other operational behaviors in accordance with the global security policy. Security enhancements to the Linux operating system include the following aspects:
①按照系统登录策略对Linux主机用户的系统登录行为进行强制性监控,系统将分两种情况进行处理:①According to the system login policy, the system login behavior of Linux host users is mandatory monitored, and the system will handle it in two cases:
a.对于用户的首次系统登录行为,系统首先检查登录时间是否符合系统登录策略中规定的时间窗口,如果不符合则禁止登录,并给出警告信息;如果符合则提示用户输入初始的用户名和口令,然后进行用户身份鉴别。如果身份鉴别为真则允许登录,然后提示用户更改初始口令,并对用户输入的新口令进行检查,判别新口令字符串长度和复杂度是否符合系统登录策略中规定的口令长度和复杂度要求,符合则修改成功;不符合则需要重新输入新口令,直到符合要求为止;如果身份鉴别为假则拒绝登录,并检查登录失败次数是否达到系统登录策略中规定的最大尝试登录失败次数,如果未达到则允许用户继续尝试登录,如果达到则禁止用户继续尝试登录,系统进入屏幕锁定状态,保留尝试登录的屏幕状态。a. For the user's first system login behavior, the system first checks whether the login time conforms to the time window specified in the system login policy, if not, the login is prohibited and a warning message is given; if it does, the user is prompted to enter the initial user name and password , and then authenticate the user. If the identity authentication is true, the login is allowed, and then the user is prompted to change the initial password, and the new password entered by the user is checked to determine whether the length and complexity of the new password string meet the password length and complexity requirements specified in the system login policy. If it meets the requirements, the modification is successful; if it does not meet the requirements, you need to re-enter the new password until it meets the requirements; if the identity authentication is false, you will refuse to log in, and check whether the number of login failures reaches the maximum number of failed login attempts specified in the system login policy. The user is allowed to continue to try to log in, and if the value is reached, the user is prohibited from continuing to try to log in, the system enters the screen lock state, and the state of the screen that is trying to log in is retained.
b.对于用户的非首次系统登录行为,系统首先检查登录时间是否符合系统登录策略中规定的时间窗口,如果不符合则禁止登录,并给出警告信息;如果符合则提示用户输入用户名和口令,然后进行用户身份鉴别,如果身份鉴别为真则允许登录,并判别口令使用周期是否达到系统登录策略中规定的最大口令更新周期,如果达到则提示用户输入新口令,并对新口令的长度和复杂度进行检查,直到用户输入符合要求的新口令为止;如果身份鉴别为假则拒绝登录,并检查登录失败次数是否达到系统登录策略中规定的最大尝试登录失败次数,如果未达到则允许用户继续尝试登录,如果达到则禁止用户继续尝试登录,系统进入屏幕锁定状态,保留尝试登录的屏幕状态。b. For the user's non-first system login behavior, the system first checks whether the login time is in line with the time window specified in the system login policy. If it does not meet, the login is prohibited and a warning message is given; if it meets, the user is prompted to enter the user name and password. Then perform user identity authentication. If the identity authentication is true, login is allowed, and it is judged whether the password usage period reaches the maximum password update period specified in the system login policy. If so, the user is prompted to enter a new password, and the length and complexity of the new password are checked. Check the number of times until the user enters a new password that meets the requirements; if the identity authentication is false, the login is refused, and the number of failed login attempts reaches the maximum number of failed login attempts specified in the system login policy. If not, the user is allowed to continue trying Login, if reached, the user is prohibited from continuing to try to log in, the system enters the screen lock state, and the screen state of the attempt to log in is retained.
对成功和不成功的系统登录行为进行日志记录,记录的信息有:登录用户名、登录日期和时间、登录失败次数、是否更改口令等,以便于事后取证和追踪。Log records of successful and unsuccessful system login behaviors. The recorded information includes: login user name, login date and time, number of login failures, whether to change password, etc., so as to facilitate evidence collection and tracking after the event.
②按照外设使用策略对用户的外设使用行为进行强制性监控,受监控的外部设备主要是可能引起病毒输入和信息泄露的输入输出设备,如移动硬盘、移动优盘、光盘、打印机、扫描仪等,在外设使用策略中规定了每个主机允许使用的外部设备。对于用户的外设使用行为,系统从操作系统内核中捕获用户发出的外设使用请求,提取其中的特征参数,检查是否与外设使用策略中允许使用的外部设备相符合,如果不符合则拒绝使用,拦截该请求并报警;如果符合则允许使用,正常处理该请求,并做日志记录,记录的信息有:设备类型、操作类型(输入/输出)、文件名、日期和时间等,以便于事后取证和追踪。②Compulsory monitoring of user's usage behavior of peripherals according to the peripherals usage policy. The monitored peripherals are mainly input and output devices that may cause virus input and information leakage, such as mobile hard disks, mobile USB flash drives, CDs, printers, scanners And so on, the peripheral devices that each host is allowed to use are specified in the peripheral device usage policy. For the user's peripheral use behavior, the system captures the peripheral use request sent by the user from the operating system kernel, extracts the characteristic parameters, checks whether it conforms to the external devices allowed in the peripheral use policy, and rejects if not Use, intercept the request and call the police; if it matches, allow the use, process the request normally, and make a log record. The recorded information includes: device type, operation type (input/output), file name, date and time, etc., so that Evidence collection and tracking after the event.
③按照网络通信策略对用户的外设使用行为进行强制性监控,受监控的网络通信接口包括以太网接口、各种无线网接口、各种串行通信接口等,在网络通信策略中规定了每个主机允许使用的网络通信接口。对于用户的网络通信行为,系统从操作系统内核中捕获用户发出的网络通信请求,提取其中的特征参数,检查其网络通信接口是否与网络通信策略中允许使用的网络通信接口相符合,如果不符合则拒绝访问,拦截该请求并报警;如果符合则做进一步检查:③ According to the network communication strategy, the use behavior of the user's peripherals is compulsorily monitored. The monitored network communication interfaces include Ethernet interfaces, various wireless network interfaces, and various serial communication interfaces. The network communication interface that each host is allowed to use. For the user's network communication behavior, the system captures the network communication request sent by the user from the operating system kernel, extracts the characteristic parameters, and checks whether the network communication interface is consistent with the network communication interface allowed in the network communication policy. Then deny access, intercept the request and report to the police; if it matches, do further inspection:
a.提取数据包中的源IP地址、目的IP地址、源端口号、目的端口号、协议类型等信息,检查是否与网络通信策略中所规定的相符合,如果不符合则拒绝访问,拦截该请求并报警;如果符合则允许访问,正常处理该请求,将数据包输出到网络通信接口。a. Extract the source IP address, destination IP address, source port number, destination port number, protocol type and other information in the data packet, check whether it is consistent with the provisions in the network communication strategy, if not, deny access, intercept the Request and alarm; if it meets, allow access, process the request normally, and output the data packet to the network communication interface.
b.做日志记录,记录的信息有:网络通信接口类型、物理地址、源IP地址、目的IP地址、源端口号、目的端口号、协议类型、日期和时间、允许/拒绝等,以便于事后取证和追踪。b. Make log records. The recorded information includes: network communication interface type, physical address, source IP address, destination IP address, source port number, destination port number, protocol type, date and time, permission/rejection, etc., so that it can be used afterwards Forensics and tracing.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510205085.1ACN104821943A (en) | 2015-04-27 | 2015-04-27 | Method for enhancing security of access of Linux hosts to network system |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510205085.1ACN104821943A (en) | 2015-04-27 | 2015-04-27 | Method for enhancing security of access of Linux hosts to network system |
| Publication Number | Publication Date |
|---|---|
| CN104821943Atrue CN104821943A (en) | 2015-08-05 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510205085.1APendingCN104821943A (en) | 2015-04-27 | 2015-04-27 | Method for enhancing security of access of Linux hosts to network system |
| Country | Link |
|---|---|
| CN (1) | CN104821943A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610839A (en)* | 2015-12-31 | 2016-05-25 | 国网浙江奉化市供电公司 | Controlling method and device for accessing network by terminal |
| CN112153075A (en)* | 2020-10-12 | 2020-12-29 | 国网福建省电力有限公司漳州供电公司 | Safety monitoring system for computer wireless communication |
| CN112163215A (en)* | 2020-10-14 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Weak password detection method and device and computer equipment |
| CN112491897A (en)* | 2020-11-30 | 2021-03-12 | 北京中软华泰信息技术有限责任公司 | Remote anti-brute force cracking method based on database security |
| CN115189941A (en)* | 2022-07-07 | 2022-10-14 | 成都域卫科技有限公司 | Host and virtual machine isolation method and device and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080115208A1 (en)* | 2006-10-25 | 2008-05-15 | Arachnoid Biometrics Identification Group Corp. | Multi-Factor Authentication System and a Logon Method of a Windows Operating System |
| CN101539880A (en)* | 2009-04-20 | 2009-09-23 | 西北工业大学 | Window Vista-oriented computer peripheral equipment safety monitoring method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080115208A1 (en)* | 2006-10-25 | 2008-05-15 | Arachnoid Biometrics Identification Group Corp. | Multi-Factor Authentication System and a Logon Method of a Windows Operating System |
| CN101539880A (en)* | 2009-04-20 | 2009-09-23 | 西北工业大学 | Window Vista-oriented computer peripheral equipment safety monitoring method |
| Title |
|---|
| ANDREW G.MORGAN,ET.AL: "《Linux-PAM系统管理员指南》", 《HTTP://WWW.PHPFANS.NET/ARTICLE/HTMLS/200812/MJY1MTC4.HTML》* |
| JELLY_HU: "《Linux 2.4中netfilter框架实现》", 《HTTP://BLOG.CSDN.NET/JELLY_HU/ARTICLE/DETAILS/5319700》* |
| 张赟: "《分布式Linux主机行为监管系统设计与实现》", 《中国优秀硕士学位论文全文数据库(电子期刊)》* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610839A (en)* | 2015-12-31 | 2016-05-25 | 国网浙江奉化市供电公司 | Controlling method and device for accessing network by terminal |
| CN112153075A (en)* | 2020-10-12 | 2020-12-29 | 国网福建省电力有限公司漳州供电公司 | Safety monitoring system for computer wireless communication |
| CN112163215A (en)* | 2020-10-14 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Weak password detection method and device and computer equipment |
| CN112491897A (en)* | 2020-11-30 | 2021-03-12 | 北京中软华泰信息技术有限责任公司 | Remote anti-brute force cracking method based on database security |
| CN115189941A (en)* | 2022-07-07 | 2022-10-14 | 成都域卫科技有限公司 | Host and virtual machine isolation method and device and storage medium |
| CN115189941B (en)* | 2022-07-07 | 2024-06-25 | 成都域卫科技有限公司 | Method and device for isolating host from virtual machine and storage medium |
| Publication | Publication Date | Title |
|---|---|---|
| US11604861B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| US11775644B2 (en) | Systems and methods for providing security services during power management mode | |
| CN109766699B (en) | Intercepting method and device for operation behavior, storage medium, and electronic device | |
| JP7091354B2 (en) | Systems and methods for context-based mitigation of computer security risks | |
| CN102034052B (en) | Operation system architecture based on separation of permissions and implementation method thereof | |
| Souppaya et al. | Guide to enterprise telework, remote access, and bring your own device (BYOD) security | |
| US20080120699A1 (en) | Method and system for assessing and mitigating access control to a managed network | |
| US20090241194A1 (en) | Virtual machine configuration sharing between host and virtual machines and between virtual machines | |
| US20090247125A1 (en) | Method and system for controlling access of computer resources of mobile client facilities | |
| US20140245379A1 (en) | System and method for enforcing a policy for an authenticator device | |
| US20100121964A1 (en) | Methods for identifying an application and controlling its network utilization | |
| CN105138920A (en) | Method for realizing safety management of intranet terminal | |
| CN101520831A (en) | Safe terminal system and terminal safety method | |
| US20090282457A1 (en) | Common representation for different protection architectures (crpa) | |
| CN103049702A (en) | Server layer based security reinforcing strategy | |
| CN104821943A (en) | Method for enhancing security of access of Linux hosts to network system | |
| CN115225315A (en) | Network white list management and control scheme based on Android system | |
| Kim et al. | A study on the security requirements analysis to build a zero trust-based remote work environment | |
| CN111680300A (en) | A kind of Windows operating system security hardening automatic detection method and terminal device | |
| Powers et al. | Whitelist malware defense for embedded control system devices | |
| KR20100067383A (en) | Server security system and server security method | |
| US20240427888A1 (en) | Detecting malware activity using kernel-based process discovery detection | |
| US20240411878A1 (en) | Elevated security execution mode for network-accessible devices | |
| Roychowdhury | Optimizing Zero Trust Architecture for Corporate IoT Security: Addressing Vulnerabilities and Device Limitations | |
| CN119996008A (en) | Adaptive external network and internal network office network switching method and device |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | Application publication date:20150805 |