Detailed Description
Embodiments of the present application will be described in detail below with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
In this embodiment, a method for storing a log file is provided, fig. 1 is a schematic hardware environment diagram of a method for storing a log file according to an embodiment of the present application, and as shown in fig. 1, a method for storing a log file according to an embodiment of the present application may be applied to a baseboard management controller 102, and optionally, the baseboard management controller may send the log file to a security server 104 for storage based on configuration information.
Here, the BMC (Baseboard Management Controller ) is a server hardware component for remote monitoring and management of servers.
Fig. 2 is a flow chart of a method for storing log files according to an embodiment of the present application, as shown in fig. 2, the flow includes the following steps:
step S202, under the condition that the baseboard management controller is started, reading configuration information of a first configuration item, wherein the first configuration item is used for indicating whether encryption processing is carried out on a log file of the baseboard management controller or not;
The log file storage method in the embodiment can be applied to a scene of encrypting and protecting the log file of the baseboard management controller. Here, the BMC (Baseboard Management Controller ) is a management system independent of the server operating system, which is used to manage the hardware of the server. The journal of BMC is a record of operations, flows, and alarm information during the BMC running process, including but not limited to the following categories: audit logs, lDL (lnspurDiagnosis Log, precision fault diagnosis logs), SEL (SYSTEM EVENT Log, system event logs), SOL (Serial Over LAN, a technique of connecting and controlling computers through a remote network, transmitting control and management instructions through a Serial universal Port), maintenance logs, etc. The audit log records all non-query operation records executed by all external users (including external tools) through the BMC, the IDL log is an accurate fault diagnosis log, the SEL log records events occurring during System operation, the SOL log records BIOS (Basic Input/Output System) serial port information, and the maintenance log records flow information of daily operation of the BMC.
The BMC log storage stores a large amount of information related to system operation and is in clear text storage, wherein key information such as account numbers, passwords, commands, states, hardware device models and the like related to a server exists, and if the information is acquired by an attacker, serious influences such as illegal access, illegal command execution, server core information leakage and the like can be caused. At present, the partition stored in the BMC log is not encrypted, so that the problem of lower security exists in the log file storage method in the related art.
In order to at least partially solve the above-mentioned problems, in this embodiment, a security protection method is established that encrypts and transmits the log to the security server after the BMC is started, so as to prevent the log information from being cracked.
The security server herein refers to a server dedicated to providing secure network communications and data transmission, which employs various security techniques and measures, such as firewalls (firewall), data encryption, authentication, etc., to ensure that the user's data is not stolen or tampered with during transmission.
In this embodiment, a security log configuration option may be added to the BMC, where the security log configuration option may include a first configuration item, where the first configuration item is used to indicate whether to encrypt a log file of the baseboard management controller.
In order to improve the comprehensiveness of the encryption protection of the log file of the BMC, the configuration information of the first configuration item can be read under the condition that the baseboard management controller is started, and whether the log file of the baseboard management controller is encrypted or not is determined.
For example, in this embodiment, the first configuration item may be Encryption (translated into data Encryption): whether to turn on the encrypted transmission (true/false).
And when the configuration information of the first configuration item is false, determining that the log file of the baseboard management controller is not subjected to encryption processing.
The present embodiment is not limited to the form of the configuration information, and may be other configuration information for indicating whether to encrypt the log file of the baseboard management controller.
Step S204, under the condition that the log file of the baseboard management controller is determined to be encrypted based on the configuration information of the first configuration item, the log file of the baseboard management controller is encrypted to obtain an encrypted log file;
similar to the foregoing embodiment, the first configuration item is used to indicate whether to encrypt the log file of the baseboard management controller, and when the BMC determines to encrypt the log file of the baseboard management controller based on the configuration information of the first configuration item, the log file of the baseboard management controller is encrypted to obtain an encrypted log file.
Alternatively, in this embodiment, the encrypting the log file of the baseboard management controller may include, but is not limited to, encrypting with a cryptographic protocol (e.g., SSL/TLS (secure socket layer/transport layer security protocol), encrypting with a hash function, encrypting with an asymmetric encryption (asymmetric encryption uses a pair of keys, namely, a public key and a private key, the public key being used to encrypt data, the private key being used to decrypt), encrypting with a symmetric encryption, and so on.
Step S206, the encrypted log file is transmitted to the security server for storage, wherein the address of the security server is indicated by the configuration information of the second configuration item.
The BMC reads the configuration information of the first configuration item, and when the log file of the baseboard management controller is determined to be encrypted based on the configuration information of the first configuration item, the encrypted log file is transmitted to the security server for storage based on the address of the security server indicated by the configuration information of the second configuration item.
For example, in the present embodiment, the second configuration item may be RemoteTarget: remote secure server address.
Through the steps, under the condition that the baseboard management controller is started, the configuration information of the first configuration item is read, wherein the first configuration item is used for indicating whether the log file of the baseboard management controller is encrypted; under the condition that the log file of the baseboard management controller is determined to be encrypted based on the configuration information of the first configuration item, the log file of the baseboard management controller is encrypted to obtain an encrypted log file; the encrypted log file is transmitted to a security server for storage, wherein the address of the security server is indicated by the configuration information of the second configuration item, and the problem that the log file storage method in the related technology has lower security is solved.
In an exemplary embodiment, in a case where it is determined that the log file of the baseboard management controller is encrypted based on the configuration information of the first configuration item, the encrypting the log file of the baseboard management controller to obtain an encrypted log file includes:
S11, under the condition that encryption processing is carried out on the log file of the baseboard management controller based on the configuration information of the first configuration item, encryption processing is carried out on the log file under the first storage path, and an encrypted log file is obtained, wherein the first storage path is a storage path of the log file of the baseboard management controller.
In view of the different file system paths of the log files of different types, in this embodiment, in order to encrypt the log files of the BMC, the log files under the first storage path may be encrypted.
Here, the first storage path is a storage path of a log file of the baseboard management controller.
Alternatively, in this embodiment, the first storage path may be configured based on one configuration item (e.g., a third configuration item) in the BMC's settings or configuration file.
For example, in this embodiment, the path of the BMC storing the log is/var/lib/log/, and in the case of determining to encrypt the log file of the baseboard management controller based on the configuration information of the first configuration item, the encrypting process may be performed on the log file under/var/lib/log/, to obtain the encrypted log file.
By the embodiment, the security of the BM C log can be improved by encrypting the log file at the designated position.
In an exemplary embodiment, in a case where it is determined that the log file of the baseboard management controller is encrypted based on the configuration information of the first configuration item, the encrypting the log file of the baseboard management controller to obtain an encrypted log file includes:
S21, in the case that the encryption processing is determined to be performed on the log file of the baseboard management controller based on the configuration information of the first configuration item, the encryption processing is performed on the log file of the appointed type of the baseboard management controller, and the encrypted log file is obtained.
In view of the fact that different types of BMC log files record different log contents, in this embodiment, in order to avoid a large number of calls of system resources due to the encryption process performed on the log files of BM C in its entirety, encryption process may be performed only on the log files of the specific type of BM C.
Here, the specified type of log file may be, but is not limited to, a BMC log file containing sensitive information, such as a security log, possibly containing details of the user name, IP address, and login attempt; the configuration log may contain sensitive configuration parameters such as login credentials or network settings for the management interface, etc.
In the case that the encryption processing is determined to be performed on the log file of the baseboard management controller based on the configuration information of the first configuration item, the encryption processing may be performed on the security log file to obtain an encrypted log file.
By means of the embodiment, the data volume of the log file data in the encryption processing can be reduced and the utilization rate of system resources can be improved by conducting the encryption processing on the log file of the appointed type.
In one exemplary embodiment, transmitting the encrypted log file to a secure server for storage includes:
S31, transmitting the encrypted log file to a security server for storage through a specified log service, wherein the specified log service is rsyslog services.
In this embodiment, in order to transfer the encrypted log file to the secure server for storage, a log service may be used.
Here, the specified log service may be rsyslog services, and rsyslog services are a log management tool, mainly used for uni×and class-u ni×systems. rsyslog services are an open source system log service for receiving, forwarding, processing, and logging system log messages.
For example, in this embodiment, in conjunction with fig. 3, by configuring the BMC and the server rsyslog, the rsyslog service encrypts the BMC log file and transmits it to the remote secure server (remote), which stores the encrypted file to the secure server.
Alternatively, in this embodiment, plain text format forwarding may be accomplished using the remote forwarding capability of rsyslog services, and rsyslog services may support multiple log formats and transport protocols, where plain text format (Plain Text Format) is a simple text format, typically without any special characters or codes, for easy reading and processing. In log management, this format helps simplify log analysis and processing.
Optionally, in this embodiment, in order to implement remote forwarding of rsyslog services, corresponding rules and parameters need to be set in the configuration file (e.g., located in/etc/rsyslog.conf') of the rsyslog services. For example, the source of the log (i.e., the log file under the first storage path), the address of the secure server, etc. may be specified.
When configuring rsyslog services for remote forwarding, TLS/SSL encrypted transmission may be used to protect the security and integrity of log data during transmission.
According to the embodiment, the service rsyslog is used for transmitting the encrypted log file to the security server for storage, so that the configurability and security of the BMC log file transmission process can be improved.
In one exemplary embodiment, the method further comprises, prior to transmitting the encrypted log file to the secure server for storage by the specified log service:
s41, receiving a copy of a CA certificate of a designated certificate authority and a server public key, wherein the copy is sent by a security server, the server public key is a public key in an asymmetric key pair distributed by the security server, and the designated CA certificate is a CA certificate applied by the security server;
s42, verifying the validity of the appointed CA certificate to obtain a validity verification result of the appointed CA certificate;
S43, storing the appointed CA certificate and the server public key under the condition that the validity check result is used for indicating that the validity check of the appointed CA certificate is passed;
S44, generating a random number, encrypting the random number by using a server public key to obtain an asymmetric encrypted random number, and transmitting the asymmetric encrypted random number to a security server;
S45, under the condition that symmetric encryption data sent by a secure server are received, decrypting the symmetric encryption data by using a random number to obtain a first interaction message and a first hash value corresponding to the first interaction message, wherein the symmetric encryption data are obtained by encrypting a second interaction message and a second hash value corresponding to the second interaction message by using a random number as a symmetric encryption key after the secure server decrypts the asymmetric encryption random number by using a private key corresponding to a server public key to obtain the random number;
s46, if the first hash value is the same as the second hash value, configuring a specified log service for the baseboard management controller, and restarting the configured specified log service.
The client receives the copy of the CA certificate and the server public key of the certificate authority sent by the server, so that the client can verify the identity of the server and prevent man-in-the-middle attack; the client side checks the validity of the CA certificate, so that the CA certificate is ensured to be issued by a trusted certificate authority, and the use of a forged CA certificate is avoided; if the validity of the CA certificate passes, the client will save the CA certificate and the server public key for encryption and verification using the server public key during subsequent communications.
The client generates a random number, and encrypts the random number by using the server public key to obtain an asymmetric encrypted random number. That is, a key known only to the client and server is generated for subsequent communication encryption.
In order to enable the server to carry out communication encryption by using the same secret key as the random number generated by the client, the client transmits the asymmetric encrypted random number to the server, and after receiving the asymmetric encrypted random number, the server decrypts the asymmetric encrypted random number by using a private key corresponding to the public key of the server to obtain the random number, and the server obtains the secret key generated by the client.
The server encrypts the second interaction message and the second hash value corresponding to the second interaction message by using the random number as a symmetric encryption key to obtain symmetric encryption data, the server sends the symmetric encryption data to the client, and the client can decrypt by using the random number to obtain the second interaction message and the second hash value.
After the client receives the symmetric encryption data, the symmetric encryption data is decrypted by using the random number to obtain a first interaction message and a first hash value corresponding to the first interaction message, and based on the first interaction message and the first hash value, the client can acquire the message and the hash value sent by the server.
The client compares the first hash value with the second hash value, and if the first hash value and the second hash value are the same, the client indicates that the communication process is not tampered, and the safety of the communication can be ensured.
In order to ensure log collection and transmission security of the client, the client configures rsyslog a log service for the client and restarts the configured rsyslog log service in the case that the first hash value and the second hash value are the same.
In the present embodiment, in order to achieve both security and efficiency, both symmetric encryption and asymmetric encryption are used. The data is transmitted by symmetric encryption, which requires a key of the client, and in order to ensure that the key can be transmitted to the server securely, the key is transmitted by encrypting with asymmetric encryption, and in general, the data is encrypted symmetrically, and the key to be used by the symmetric encryption is transmitted by asymmetric encryption. The public key and the private key of the server side are used for carrying out asymmetric encryption; the client-side generated random key is used for symmetric encryption.
That is, in this embodiment, a handshake is required between the client (i.e., BMC) and the server (i.e., secure server) before transmitting the data, and the password information of the encrypted transmission data will be established during the handshake. The specific steps of the handshake process are as follows:
And step1, the client transmits a set of encryption rules supported by the client to the server.
And 2, the server selects a group of encryption algorithm and HASH algorithm from the group of encryption algorithm and HASH algorithm, and sends own identity information back to the client in the form of a certificate. The certificate contains information such as the address of the server, the encryption public key, and the issuing authority of the certificate.
Step3, the client side needs to do the following work after obtaining the server certificate:
a) Verifying the validity of the certificate (whether the authority issuing the certificate is legal, whether the server address contained in the certificate coincides with the address being accessed, etc.).
B) If the certificate is trusted or if the user accepts an untrusted certificate, the client generates a string of random numbers and encrypts it with the public key provided in the certificate.
C) And calculating handshake information by using a agreed HASH algorithm, encrypting the information by using the generated random number, and finally transmitting all the information generated before to a server.
Step 4, after receiving the data sent by the client, the server performs the following operations:
a) And decrypting the information by using the private key of the user to obtain a password, decrypting the handshake message sent by the client by using the password, and verifying whether the HASH is consistent with the handshake message sent by the client.
B) A handshake message is encrypted using a cipher and sent to the client.
And 5, decrypting and calculating the HASH of the handshake message by the client, ending the handshake process if the HASH is consistent with the HASH sent by the server, and encrypting all communication data by using a symmetric encryption algorithm by using a random password generated by the previous client.
Alternatively, in this embodiment, the private key of the CA certificate and the action of generating the CA certificate according to the CA private key may be implemented by certtool tools, certtool is a tool provided by linu × GnuTLS library, gnuTLS is a secure communication library, and SSL, TLS and DTLS protocols and related technologies are implemented.
The flow of encrypting the transfer log by TLS (SSL) is as follows:
a. Setting a CA certificate;
generating a private key of the CA certificate: the certtool parameter indicates that the application certtool is invoked, the-generate-privkey parameter indicates that the command is to generate a private key, and the file name specified after the-outfile parameter indicates the private key file name output by the command.
certtool--generate-privkey--outfile ca-key.pem;
Generating a self-signed CA certificate itself from the CA certificate private key: the generate-self-signed parameter indicates that the command was generated from a signature, the load-privkey parameter indicates that the following ca-key. Pen is to be read, then this private key is based on ca-key. Pem, and finally ca.pem is output;
certtool--generate-self-signed--load-privkey ca-key.pem--outfile ca.pem;
The CA certificate is set on the server, CA-key.pe m is at the server end, is required to be strictly kept secret and stored, cannot be leaked, and is a source of all trust chains. And copies of ca.pem will be distributed to all clients, so the server-side rsyslog knows that these clients with certificate copies can be trusted.
B. generating an authentication for the server and the client;
Generating 2048bit RSA private key: -BITs parameter means generating an RSA private key of corresponding size from the following BIT number;
certtool--generate-privkey--outfile key.pem--bits 2048;
Generating a certificate request in PKCS#10 format according to the private key:
certtool--generate-request--load-privkey key.pem--outfile request.pem;
generating a signed certificate: represents final output cert. Peme by reading request. Peme, ca-key. Peme;
certtool--generate-certificate--load-request request.pem--outfile cert.pem;
--load-ca-certificate ca.pem--load-ca-privkey ca-key.pem;
Based on this, a generated ca.pem is available as a CA certificate, which can verify keys and certificates on the logging server and client, cert.pem is a public key, and key.pem is a private key. At this time, the private key, the public key and the certificate required by the encrypted transmission are generated. The next step is to configure rsyslog for the client, which is the bm C, and the server, which is the remote security server.
Stage 1, setting CA; generating a self-signed CA certificate, protecting CA-key.pep;
stage 2, identifying the machine by certificate: the CA copies the CA's certificate to each machine; each machine generates a certificate request and sends it to the CA; the CA signs the certificate and sends it back to each machine CA. Stage 2 corresponds to that shown in fig. 4.
It should be noted that the configuration of the server and the client only sets some parameters for the interaction of the two parties.
By the embodiment, the communication safety between the client and the server can be ensured, and man-in-the-middle attack and data tampering are prevented.
In one exemplary embodiment, configuring a specified log service for the baseboard management controller and restarting the configured specified log service in a case where the first hash value is the same as the second hash value, includes:
s51, under the condition that the first hash value is the same as the second hash value, a configuration file is created for the appointed log service under the appointed file directory, and a target configuration file is obtained;
s52, adding a group of configuration items to the specified log service in the target configuration file to configure the specified log service and restarting the configured specified log service, wherein the group of configuration items comprises at least one of the following: a copy of the specified CA certificate, a server public key, a random number.
Optionally, in this embodiment, the setting server rsyslog is configured to:
a new file, such as tlS server. Conf, is created in the server/etc/rsyslog. D/directory.
To encrypt a communication, the configuration file must contain a path to the server's certificate file, the chosen authentication method, and the stream driver that supports TLS encryption. the tls_server.conf file is configured as follows:
#Set certificate files;
global (//set global variables, here NETSTREAMDRIVER is the same as streamdriver. Name below, which is the encrypted stream driver used, such as ossl in this embodiment, and gtls, ossl and gtls are 2 different drivers;
DefaultNetstreamDriverCAFile = "ca.pem//set the path of the default server root certificate of NETSTREAMDRIVER;
DefaultNetstreamDriverCertFile = "cert. Pem//set the path of the public key of default NETSTREAMDRIVER;
DefaultNetstreamDriverKeyFile = "key. Hem"// path of private key setting default NETSTREAMDRIVER;
)
#TCP listener
module(
load=″imtcp″
Streamdriver.authmode= "x 509/name"// sets the mode of mutual authentication of server and client;
Streamdriver.mode= "1"// set mode to 1 indicates that the driver is running in TLS-only mode, i.e. running only TLS encryption.
Streamdriver.name= "ossl"// designates the encrypted stream driver used as rsyslog-openssl
)
# Set up listening to port 514, type of transmission is TCP
input(
type=″imtcp″
Port= "514"// snoop to tcp passes port 514 according to the rsyslog specification
)
Optionally, in this embodiment, the setting client rsyslog configures:
create a new client profile under the client/etc/rsyslog.d directory, such as tls_client. The following configuration is added to the tls_client.
#Set certificate files
global(
DefaultNetstreamDriverCAFile=″ca.pem″
DefaultNetstreamDriverCertFile=″cert.pem″
DefaultNetstreamDriverKeyFile=″key.pem″
)
#Set up the action for all messages
*.*action(
type=″omfwd″
StreamDriver=″ossl″
StreamDriverMode=″1″
StreamDriverAuthMode="x509/name″
target=″server.example.com″port=″514″protocol=″tcp″
)
Optionally, in this embodiment, after the configuration is completed, the service is restarted rsyslog at the client and the server:
systemctl restart rsyslog
In an exemplary embodiment, after reading the configuration information of the first configuration item in a case where the baseboard management controller is started, the method further includes:
S61, storing the log file of the baseboard management controller under a second storage path, wherein the second storage path is a storage path of the log file of the baseboard management controller, under the condition that the log file of the baseboard management controller is not encrypted based on the configuration information of the first configuration item.
The log file storage path of the BMC may vary from hardware manufacturer to hardware manufacturer and from BMC software, and in this embodiment, the storage path of the BMC log file may be determined, but is not limited to, by:
and step 1, checking a document, and referring to the document or a user manual of the used BMC equipment to know the default setting of a log file storage path.
And 2, logging in the BMC, and logging in a Web interface or a command line interface of the BMC by using a browser or other remote management tools.
And 3, searching log settings, wherein the settings related to the log files are searched in the setting or configuration options of the BMC, and the settings comprise storage positions, log levels, log rotation strategies and the like of the log files.
Step 4, determining a storage path, and determining a storage path of a log file according to the setting and configuration of the BMC, where the second storage path may be a file system path, such as/var/log/BMC.
And 5, adjusting the setting (if necessary), wherein the setting can be adjusted in the BMC, and changing the storage path of the log file. It should be noted that changing the storage path may require either reconfiguring the BMC or restarting the BMC service.
And 6, after the change is verified and the log file storage path is changed, checking whether the BMC normally records the log or not, and ensuring that the log file is stored in a new position.
Optionally, in this embodiment, to ensure security of the BMC log, access to the log may also be restricted, the log may be periodically reviewed to find potential security issues, and so on.
As an alternative exemplary embodiment, taking a log file of the BMC as an example, a method of storing the log file will be explained.
The application provides a configurable protection mode which encrypts a log when a BMC is started and transmits the encrypted log to a security server for protection. The mode provides a safety protection scheme aiming at security holes of the log system, supplements and enhances a conventional safety protection mode, and improves the overall safety and stability of the B M C system.
And when the B M C is started, performing bidirectional encryption authentication on the log, and forwarding the log to a security server for storage.
The log file storage system for realizing the log file storage method comprises three main modules, a log configuration module, a log encryption module and a log storage module, wherein the log configuration module and the log encryption module are realized in a local BMC, and the log storage module is realized in a remote security server. The interactions between the modules are shown in fig. 5.
The log configuration module stores configuration information, and whether the log encryption module is informed to carry out log encryption transmission or not is selected according to the configuration; the log encryption module receives log configuration and encrypts and transmits the log to a remote target server according to configuration information; the log storage module receives the encrypted log and stores the encrypted log in the security server.
Specifically, 1) a log configuration module:
the log configuration module provides a configuration interface:
{
Encryptions: whether to turn on the encrypted transmission (true/false),
RemoteTa rget: remote secure server address
}
And after the BMC is started, the configuration is read, and if the Encryption is true, the log configuration module sends the configuration information to the log Encryption module to trigger the next flow.
2) And a log encryption module:
The log encryption module receives log configuration, completes plain text format forwarding by utilizing rsyslog remote forwarding capability, encrypts the log based on TLS, and has the advantages that the log is encrypted when transmitted on a line, and the sender performs identity verification on a receiver, so that the receiver can know who is talking with the receiver; at the same time the receiver also performs authentication to the sender so that the sender can check whether it has indeed sent to the intended address. The mutual identity authentication mode has higher security and can prevent man-in-the-middle attack.
Implementing the above secure encryption and authentication is based on public/private key security, so the private key must be secured, if the private key is known by a third party system, security cannot be guaranteed, and the secure encryption is based on x509 certificates and a very limited chain of trust.
3) And the log storage module is used for:
the log storage module is realized on a remote security server, the security server receives the encrypted log forwarded through rsyslog and stores the encrypted log, and the security of the log is further ensured because the security server has stronger security protection capability on hardware and software.
Specifically, in connection with fig. 6, the bmc log security protection method may include the steps of:
step 1, after the BMC is started, reading log encryption configuration;
step 2, determining whether encryption is performed or not based on the configuration information;
Step 3, executing rsyslog encryption forwarding log under the condition of determining encryption; the remote server receives and stores the log;
and step4, storing the log in an unencrypted state under the condition that the encryption is not determined.
It should be noted that any modifications and changes made without departing from the spirit and scope of the present application, especially, performing bidirectional encryption authentication and remote security server storage log when the BMC is started, are all within the scope of the present application.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method of the various embodiments of the present application.
According to another aspect of the embodiments of the present application, a log file storage device is further provided, and the device is used for implementing the log file storage method provided in the foregoing embodiments, which is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 7 is a block diagram of a log file storage device according to an embodiment of the present application, where, as shown in fig. 7, the device includes:
A reading unit 702, configured to read configuration information of a first configuration item, where the first configuration item is used to indicate whether to encrypt a log file of the baseboard management controller, where the baseboard management controller is started;
A processing unit 704, configured to, in a case where it is determined that the log file of the baseboard management controller is encrypted based on the configuration information of the first configuration item, encrypt the log file of the baseboard management controller to obtain an encrypted log file;
And a transmission unit 706, configured to transmit the encrypted log file to a security server for storing, where an address of the security server is indicated by configuration information of the second configuration item.
It should be noted that, the reading unit 702 in this embodiment may be used to perform the step S202, the processing unit 704 in this embodiment may be used to perform the step S204, and the transmitting unit 706 in this embodiment may be used to perform the step S206.
According to the embodiment of the application, under the condition that the baseboard management controller is started, the configuration information of the first configuration item is read, wherein the first configuration item is used for indicating whether the log file of the baseboard management controller is encrypted; under the condition that the log file of the baseboard management controller is determined to be encrypted based on the configuration information of the first configuration item, the log file of the baseboard management controller is encrypted to obtain an encrypted log file; the encrypted log file is transmitted to a security server for storage, wherein the address of the security server is indicated by the configuration information of the second configuration item, and the problem that the log file storage method in the related technology has lower security is solved.
In one exemplary embodiment, a processing unit includes:
The first processing module is used for carrying out encryption processing on the log files under the first storage path to obtain encrypted log files under the condition that the encryption processing on the log files of the baseboard management controller is determined based on the configuration information of the first configuration item, wherein the first storage path is a storage path of the log files of the baseboard management controller.
In one exemplary embodiment, a processing unit includes:
and the second processing module is used for carrying out encryption processing on the log file of the appointed type of the baseboard management controller to obtain an encrypted log file under the condition that the encryption processing on the log file of the baseboard management controller is determined based on the configuration information of the first configuration item.
In one exemplary embodiment, a transmission unit includes:
and the transmission module is used for transmitting the encrypted log file to the security server for storage through a specified log service, wherein the specified log service is rsyslog services.
In an exemplary embodiment, the above apparatus further includes:
The receiving unit is used for receiving a copy of the CA certificate of the appointed certificate authority and a server public key, which are sent by the security server, before the encrypted log file is transmitted to the security server for storage through the appointed log service, wherein the server public key is a public key in an asymmetric key pair distributed by the security server, and the appointed CA certificate is a CA certificate applied by the security server;
the verification unit is used for verifying the validity of the appointed CA certificate to obtain a validity verification result of the appointed CA certificate;
A storage unit configured to store the specified CA certificate and the server public key in a case where the validity check result is used to indicate that the validity check of the specified CA certificate passes;
The execution unit is used for generating a random number, encrypting the random number by using a server public key to obtain an asymmetric encrypted random number, and transmitting the asymmetric encrypted random number to the security server;
The decryption unit is used for decrypting the symmetric encryption data by using the random number under the condition of receiving the symmetric encryption data sent by the security server, so as to obtain a first interaction message and a first hash value corresponding to the first interaction message, wherein the symmetric encryption data is obtained by encrypting a second interaction message and a second hash value corresponding to the second interaction message by using the random number as a symmetric encryption key after the security server decrypts the asymmetric encryption random number by using a private key corresponding to a public key of the security server to obtain the random number;
And the configuration unit is used for configuring the specified log service for the baseboard management controller and restarting the configured specified log service under the condition that the first hash value is the same as the second hash value.
In one exemplary embodiment, a configuration unit includes:
The creation module is used for creating a configuration file for the specified log service under the specified file directory under the condition that the first hash value is the same as the second hash value to obtain a target configuration file;
The execution module is used for adding a group of configuration items to the specified log service in the target configuration file to configure the specified log service and restarting the configured specified log service, wherein the group of configuration items comprises at least one of the following: a copy of the specified CA certificate, a server public key, a random number.
In an exemplary embodiment, the above apparatus further includes:
And the storage unit is used for storing the log file of the baseboard management controller under a second storage path when the log file of the baseboard management controller is determined not to be encrypted based on the configuration information of the first configuration item after the configuration information of the first configuration item is read under the condition that the baseboard management controller is started, wherein the second storage path is a storage path of the log file of the baseboard management controller.
Embodiments of the present application also provide a computer program product comprising a computer program which, when executed by a processor, implements the steps of any of the method embodiments described above.
Embodiments of the present application also provide another computer program product comprising a non-volatile computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of any of the method embodiments described above.
Embodiments of the present application also provide a computer program comprising computer instructions stored in a computer-readable storage medium; the processor of the computer device reads the computer instructions from the computer readable storage medium and executes the computer instructions to cause the computer device to perform the steps of any of the method embodiments described above.
Embodiments of the present application also provide a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
In one exemplary embodiment, the computer readable storage medium may include, but is not limited to: various media capable of storing a computer program, such as a usb disk, RO (Read-Only Memory), RAM (Random Access Memory ), a removable hard disk, a magnetic disk, or an optical disk.
An embodiment of the application also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
In an exemplary embodiment, the electronic device may further include a transmission device connected to the processor, and an input/output device connected to the processor.
Specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the exemplary implementation, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the modules or steps of the application described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps of them may be fabricated into a single integrated circuit module. Thus, the present application is not limited to any specific combination of hardware and software.
The above is only a preferred embodiment of the present application, and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present application should be included in the protection scope of the present application.