A file audit and protection method based on linux security module

A security module and file technology, applied in computer security devices, computing, digital data protection, etc., can solve problems such as insufficient stability and system version compatibility, file protection cannot be achieved, etc., to achieve outstanding substantive features and reliable design principles , good stability

Active Publication Date: 2019-01-25
中孚安全技术有限公司 +2
View PDF4 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0002] File auditing and protection functions under Linux, currently implemented methods mainly include iNotify and InlineHook, etc., but there are some problems in these methods: iNotify is a tool for detecting changes in the file system, and the function of file auditing can be realized with this tool, but the file Protection (such as file anti-deletion, anti-modification, file hiding, etc.) functions cannot be achieved, and the number of files it can monitor has an upper limit, and files exceeding this threshold will not be monitored
[0003] InlineHook is a technique for hooking system functions. By replacing the head instruction of the target function, it can jump to other instruction areas before the function is executed. After execution, it jumps back to the original function and jumps to the instruction area. Usually it is a function written by ourselves to complete the file audit and protection function according to the security policy. Since this technology requires operations such as instruction modification and jumping, it is insufficient in terms of stability and system version compatibility.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A file audit and protection method based on linux security module
  • A file audit and protection method based on linux security module

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0060] Such as Figure 1-2 Shown, a kind of file auditing, protection method based on Linux security module, comprises the steps:

[0061]S1: The security module defines hook functions related to file operations;

[0062] S2: Register the hook function into the LSM framework;

[0063] S3: Compile it into a kernel ko module, and implement security access control in the form of a Linux kernel ko module.

[0064] Step S1, including:

[0065] S11: define a global table and specify a list of hook functions to be implemented therein;

[0066] S12: In the specified hook function, perform file operation audit;

[0067] S13: Set the return value of the hook function to realize file protection.

[0068] In step S11, the global table of the security_operations structure is defined, and the specified hook functions include:

[0069] File copy / creation judgment function, file deletion judgment function, directory copy / creation judgment function, directory deletion judgment function, ...

Embodiment 2

[0102] A kind of file auditing, protection method based on Linux security module, comprises the steps:

[0103] (1) Define the global table of the security_operations structure, specify the list of hook functions we want to implement, including: inode_create function, inode_unlink function, inode_mkdir function, inode_rmdir function, inode_rename function, inode_setattr function, file_open function, file_permission function

[0104] In the hook function specified above, file operation audit is performed: obtain the complete name of the operated file through the function parameter, and identify the type of file operation through the hook function type. Some file operations are special and involve multiple hook functions, which need to be combined Hook function to identify.

[0105] A: The file operation type identification process is as follows:

[0106] The following two file operations are judged in the inode_create hook function:

[0107] a: file copy operation

[0108] W...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a file audit and protection method based on a Linux security module, comprising the following steps: a security module defining a hook function related to file operation; registering hook functions into the LSM framework; compiling into the kernel ko module, Linux kernel ko module to achieve security access control. The step of defining the hook function related to file operation by the security module comprises the following steps: defining a global table and specifying a list of hook functions to be implemented in the global table; performing audit file operations in the specified hook function; setting the return value of the hook function to protect the file.

Description

technical field [0001] The invention relates to the technical field of file auditing and protection under Linux, in particular to a file auditing and protection method based on a Linux security module. Background technique [0002] File auditing and protection functions under Linux, currently implemented methods mainly include iNotify and InlineHook, etc., but there are some problems in these methods: iNotify is a tool for detecting changes in the file system, and the file auditing function can be realized with this tool, but the file Protection (such as file anti-deletion, anti-modification, file hiding, etc.) functions cannot be achieved, and the number of files it can monitor has an upper limit, and files exceeding this threshold will not be monitored. [0003] InlineHook is a technique for hooking system functions. By replacing the head instruction of the target function, it can jump to other instruction areas before the function is executed. After execution, it jumps ba...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/62G06F8/41
CPCG06F8/41G06F21/6218
Inventor 张雷袁浩苗功勋
Owner 中孚安全技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap