A sis trusted system directory access control function test method and system
By using automated testing methods to obtain trusted computer configuration files, simulate access behavior, and generate security audit logs, the problem of low efficiency in traditional manual testing is solved, enabling efficient, comprehensive, and reliable testing of the directory access control function of the SIS system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HUANENG POWER INT CO LTD RIZHAO POWER PLANT
- Filing Date
- 2026-02-28
- Publication Date
- 2026-06-05
AI Technical Summary
Traditional manual methods cannot meet the needs of systematic, automated, and stability testing of the directory access control function of SIS system. The testing process is cumbersome, time-consuming, and difficult to cover complex access scenarios, which affects project progress and testing depth.
An automated testing method is used to obtain trusted computer configuration files, generate security audit logs, simulate unauthorized and authorized process access behavior, verify the security audit logs, and generate a structured test report.
It enables automated and standardized testing of directory access control functions, improving testing efficiency and consistency. It allows for large-scale verification in a short time, ensuring the stability of policy configuration and access control, and generating standardized test reports.
Smart Images

Figure CN122152698A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of trusted system testing, specifically relating to a test method and system for the directory access control function of a SIS trusted system. Background Technology
[0002] The domestically developed trusted SIS system introduces a directory access control mechanism within its secure and trusted architecture. By binding critical directories within the system to specific principal processes, it achieves fine-grained access management of core resources. In this mechanism, principal processes such as SIS application services and performance calculation scripts are explicitly authorized; only these pre-defined processes can perform read, write, or run operations on designated object directories. Meanwhile, critical resources such as real-time database storage paths, system configuration file directories, and application script directories are all classified as object directories, prohibiting access by any unauthorized processes. Through this approach, it effectively prevents the unauthorized reading or malicious tampering of core production data, ensuring the integrity and confidentiality of system operation data, and is a crucial component of the trusted SIS system.
[0003] After the trusted security module is deployed in the SIS system, the directory access control function must undergo rigorous verification to ensure accurate policy configuration, effective access blocking, and clear permission boundaries. However, traditional manual testing methods rely on operations personnel to manually enter each directory to verify permissions and attempt access. This process is cumbersome, time-consuming, and inefficient. More importantly, manual testing struggles to comprehensively verify the stability of access control policies during continuous operation and cannot simulate complex scenarios such as high-frequency access, concurrent access, and abnormal access. Therefore, it lacks effective verification of the module's robustness, policy consistency, and error handling capabilities.
[0004] For a SIS system deployed in an industrial field, directory access control policies involve a large number of directories and complex access relationships. If comprehensive testing is conducted manually, it will inevitably consume a lot of human resources and time, affecting project progress and making it difficult to guarantee the depth and completeness of testing. As the requirements for trusted security continue to upgrade, relying solely on traditional manual methods can no longer meet the requirements for systematic, automated, and stable testing of directory access control functions. Summary of the Invention
[0005] The purpose of this invention is to overcome the problem that traditional manual methods cannot meet the requirements of systematic, automated, and stable testing of directory access control functions, and to provide a test method and system for directory access control functions of a trusted SIS system.
[0006] To achieve the above objectives, the present invention adopts the following technical solution: In a first aspect, the present invention provides a method for testing the directory access control function of a trusted system (SIS), comprising the following steps: Obtain the configuration file of the trusted computer, and based on the configuration file of the trusted computer, obtain the test parameters for directory access control; Start the trusted computer to execute test commands and generate a security audit log when the trusted computer executes the test commands; Verify the security audit logs and output the verification results as a structured document; Upload the test report based on the structured document.
[0007] A further improvement of this invention is that the test parameters for directory access control include the main application file to be used, the object directory path, the test time range, and the scenario for automated testing.
[0008] A further improvement of this invention lies in the following specific method for initiating a trusted computer to execute test instructions: Obtain test instructions from the trusted computer, and enable corresponding directory access control according to the test instructions from the trusted computer; Based on the test instructions of the trusted computer, execute the access control policies for the files and directories configured in the configuration file. Based on the access control policy, simulate unauthorized access and attacks by unauthorized processes, and verify legitimate access by authorized processes.
[0009] A further improvement of the present invention is that the simulation of unauthorized access and attack by unauthorized processes includes using unauthorized processes to illegally create files in a directory, read files in a directory, modify files in a directory, delete files in a directory, and delete directories.
[0010] A further improvement of the present invention is that the legal access verification of the authorized process includes using the authorized process to create files in the directory, read files in the directory, modify files in the directory, and delete files in the directory.
[0011] A further improvement of this invention lies in the following specific method for verifying security audit logs and outputting the verification results as a structured document: Obtain security audit logs, parse the security audit logs, and obtain the relevant security events within the security audit logs; Verify that the security audit logs record all security events completely and accurately, and output the verification results as a structured document.
[0012] A further improvement of this invention is that the relevant security events in the security audit log include policy configuration data, access denial data, and file modification attempt data.
[0013] A further improvement of this invention is that the verification result includes event type, timestamp, source user / process, target directory, and operation result.
[0014] Secondly, the present invention provides a test system for the directory access control function of a trusted system (SIS), comprising: The parameter acquisition module is used to obtain the configuration file of the trusted computer and, based on the configuration file of the trusted computer, obtain the test parameters for directory access control. The log generation module is used to start a trusted computer to execute test instructions and generate security audit logs when the trusted computer executes test instructions. The log verification module is used to verify security audit logs and output the verification results as a structured document. The output module is used to upload test reports based on structured documents.
[0015] Compared with the prior art, the present invention has the following beneficial effects: This invention and method automate and standardize directory access control testing. By automatically parsing configuration files to obtain test parameters, it automatically executes commands for illegal access, legal access, and policy verification, making the testing process repeatable and transferable, independent of manual operation, and significantly improving testing efficiency and consistency. This invention triggers multiple access behaviors through preset test commands and automatically generates security audit logs, enabling systematic verification of large-scale directories and multiple types of operations in a short time, improving the comprehensiveness of the test. This invention uses a trusted computer to automatically execute commands and generate audit logs in real time, reflecting the behavior of the access control module under actual operating conditions, ensuring stability and reliability across different time periods and access modes. This invention uses security audit logs as a trusted basis, verifying key fields such as event type, timestamp, source process, and access result in the logs to ensure that actions such as policy configuration, illegal access interception, and authorized access are fully recorded, achieving traceability and verifiability of access control behavior. This invention automatically converts test data into a standardized test report format through structured document output and automated report uploading mechanisms. This avoids omissions, distortions, and format inconsistencies caused by manual archiving, achieving standardization, visualization, and archiving of test results. This further reduces manual workload and improves test quality. In summary, this invention, through automated execution of test instructions, systematic parsing of audit logs, and standardized output of test results, achieves high-efficiency, high-coverage, and high-reliability verification of directory access control functions. It effectively overcomes the problems of traditional manual methods, such as being cumbersome, inefficient, unreliable, and unable to cover complex scenarios, significantly improving the testing quality and engineering application value of directory access control functions in SIS trusted systems. Attached Figure Description
[0016] Figure 1 This is a flowchart of the present invention; Figure 2 This is a system diagram of the present invention; Figure 3 This is a system diagram of Example 4. Detailed Implementation
[0017] To further understand the content of this invention, the invention will be described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the embodiments are merely illustrative and not limiting of the invention.
[0018] Example 1: See Figure 1 A test method for directory access control functions in a trusted SIS system includes the following steps: S1, obtain the configuration file of the trusted computer, and obtain the test parameters for directory access control based on the configuration file of the trusted computer.
[0019] S2, initiates the trusted computer to execute test instructions, and generates a security audit log when the trusted computer executes the test instructions.
[0020] S3 verifies the security audit logs and outputs the verification results as a structured document.
[0021] S4, upload the test report based on the structured document.
[0022] This invention verifies the basic configuration, policy effectiveness, access control logic, and security auditing functions of the directory access control system. By executing key test cases frequently over extended periods or cyclically switching the operating status of the access control module, this invention monitors the stability and reliability of the function under continuous operation, as well as its impact on overall system performance.
[0023] Example 2: See Figure 2 A test system for directory access control functions in a trusted SIS system, comprising: The parameter acquisition module is used to obtain the configuration file of the trusted computer and, based on the configuration file of the trusted computer, obtain the test parameters for directory access control.
[0024] The log generation module is used to start a trusted computer to execute test commands and generate security audit logs when the trusted computer executes test commands.
[0025] The log verification module is used to verify security audit logs and output the verification results as a structured document.
[0026] The output module is used to upload test reports based on structured documents.
[0027] This invention covers multiple dimensions, including policy configuration, legal access, illegal access, security auditing, and stability, achieving in-depth verification of directory access control functions. Through simulating real-world attack scenarios and log auditing, this invention ensures the actual effectiveness of the security functions. By conducting stress tests involving prolonged repetitive execution of critical operations and high-frequency switching of the access control module's state, this invention comprehensively evaluates the stability and reliability of the function under continuous operation and dynamic state changes. The structured test report generated by this invention provides clear and detailed evidence for security assessments and compliance audits.
[0028] Example 3: This embodiment is based on a trusted computer environment and automates the configuration of directory access control policies, illegal access testing, legal access testing, security audit verification, and report generation, thereby achieving systematic testing of directory access control functions.
[0029] Step one: Configure a file, for example, named test.config, on the trusted computer. This configuration file contains the directory access control test parameters required for this test, including: the path of the main application file used to access the object directory, the path of the object directory to be controlled, the test time range, and the test scenario used in this automated test (such as initialization test or stability test). Before running, the test script reads this configuration file and extracts the above parameters as input information for the entire test process.
[0030] Step two: On the trusted computer, launch the automated test script. Based on the test instructions parsed from the configuration file, the script sequentially executes the activation and policy configuration of the directory access control module. First, the script obtains the preset test instructions from the trusted computer and enables the directory access control function accordingly, putting the access control module into working mode. Next, based on the subject process file and object directory path in the configuration file, the script automatically generates the corresponding access control policy at the system level. This policy includes allowing only specified subject applications to perform legal operations such as reading, writing, and executing on the target directory, while prohibiting other unauthorized processes from accessing the directory.
[0031] Step three: The script begins simulating access behavior according to the test instructions. In this embodiment, unauthorized access and attack behaviors are executed by an unauthorized process. Specific unauthorized operations include: attempting to create, read, modify, or delete files within the controlled directory, and deleting the entire directory. By simulating each of the above operations under an unauthorized subject environment, the interception effect of the directory access control module on different unauthorized behaviors and the security audit records are recorded.
[0032] Step four: To verify the correctness of authorized access, this embodiment further performs a legitimate access verification of the authorization process. The principal application, which is already bound to the access control policy, sequentially performs operations such as creating, reading, modifying, and deleting files within the target directory. This tests whether the directory access control module can correctly allow legitimate access behavior, ensuring the availability of the policy configuration for authorized access.
[0033] Step 5: After completing the illegal access simulation and legal access verification, the system automatically enters the security audit log verification stage. In this embodiment, the script reads the log file storing security audit information in the trusted computer, such as / var / log / trust / trust_verification_module.log, parses the log content, and extracts the security events involved in this test. Relevant security events include, but are not limited to, policy configuration events, access denial events, and file modification attempt events. The script further verifies whether various security events are completely and accurately recorded, including checking fields such as event type, event timestamp, source user or process, target directory, and the final result of the corresponding operation, to ensure that the security audit mechanism can accurately reflect the operation of the access control module.
[0034] Step Six: After completing the parsing and verification of the security audit logs, this embodiment outputs the verification results in a structured document format, preferably a CSV file. The CSV document details the audit events generated by each type of access behavior during this test and their verification results, making the relevant information traceable, comparable, and archiveable.
[0035] Step seven: The trusted computer automatically generates an HTML-formatted test report based on the generated CSV structured document. The test report visually presents the directory access control module's performance in terms of unauthorized access, authorized access, policy configuration, and audit logs, providing a standardized results document for system evaluation and project acceptance.
[0036] In summary, this embodiment achieves integrated, automated, and highly reliable testing of the directory access control function of the SIS system by automatically parsing configuration files, automatically configuring access control policies, automatically simulating illegal and legal access behaviors, structured verification of security audit logs, and automatically generating reports. It effectively overcomes the problems of low efficiency, insufficient coverage, and difficulty in verifying stability in traditional manual methods, and significantly improves the accuracy, consistency, and engineering applicability of the tests.
[0037] Example 4: See Figure 3The present invention also provides an electronic device 100 for testing the directory access control function of a trusted system SIS; the electronic device 100 includes a memory 101, at least one processor 102, a computer program 103 stored in the memory 101 and executable on the at least one processor 102, and at least one communication bus 104.
[0038] The memory 101 can be used to store the computer program 103. The processor 102 implements the steps of the SIS trusted system directory access control function testing method described in Embodiment 1 by running or executing the computer program stored in the memory 101 and calling the data stored in the memory 101. The memory 101 may mainly include a program storage area and a data storage area. The program storage area may store the operating system, at least one application program required for a function (such as sound playback function, image playback function, etc.), etc.; the data storage area may store data created according to the use of the electronic device 100 (such as audio data), etc. In addition, the memory 101 may include non-volatile memory, such as hard disk, memory, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device, or other non-volatile solid-state storage device.
[0039] The at least one processor 102 may be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The processor 102 may be a microprocessor or any conventional processor. The processor 102 is the control center of the electronic device 100, connecting various parts of the electronic device 100 via various interfaces and lines.
[0040] The memory 101 in the electronic device 100 stores multiple instructions to implement a test method for a trusted system directory access control function of an SIS (System-on-a-System). The processor 102 can execute the multiple instructions to achieve the following: Obtain the configuration file of the trusted computer, and based on the configuration file of the trusted computer, obtain the test parameters for directory access control; Start the trusted computer to execute test commands and generate a security audit log when the trusted computer executes the test commands; Verify the security audit logs and output the verification results as a structured document; Upload the test report based on the structured document.
[0041] Example 5: If the modules / units integrated in the electronic device 100 are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the methods of the above embodiments can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by a processor, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable files, or certain intermediate forms. The computer-readable medium can include: any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a portable hard drive, a magnetic disk, an optical disk, a computer memory, and a read-only memory (ROM).
[0042] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0043] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0044] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0045] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0046] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.
Claims
1. A method for testing the directory access control function of a trusted SIS system, characterized in that, Includes the following steps: Obtain the configuration file of the trusted computer, and based on the configuration file of the trusted computer, obtain the test parameters for directory access control; Start the trusted computer to execute test commands and generate a security audit log when the trusted computer executes the test commands; Verify the security audit logs and output the verification results as a structured document; Upload the test report based on the structured document.
2. The method for testing the directory access control function of a trusted SIS system according to claim 1, characterized in that, The test parameters for directory access control include the main application file to be used, the object directory path, the test time range, and the scenario for automated testing.
3. The method for testing the directory access control function of a trusted SIS system according to claim 1, characterized in that, The specific method for starting a trusted computer to execute test instructions is as follows: Obtain test instructions from the trusted computer, and enable corresponding directory access control according to the test instructions from the trusted computer; Based on the test instructions of the trusted computer, execute the access control policies for the files and directories configured in the configuration file. Based on the access control policy, simulate unauthorized access and attacks by unauthorized processes, and verify legitimate access by authorized processes.
4. The method for testing the directory access control function of a trusted SIS system according to claim 3, characterized in that, Simulating unauthorized access and attacks by unauthorized processes includes creating, reading, modifying, deleting files, and deleting directories using unauthorized processes.
5. The method for testing the directory access control function of a trusted SIS system according to claim 3, characterized in that, Enforcing the legitimate access of an authorized process includes allowing the authorized process to create, read, modify, or delete files within a directory.
6. The method for testing the directory access control function of a trusted SIS system according to claim 1, characterized in that, The specific method for validating security audit logs and outputting the validation results as a structured document is as follows: Obtain security audit logs, parse the security audit logs, and obtain the relevant security events within the security audit logs; Verify that the security audit logs record all security events completely and accurately, and output the verification results as a structured document.
7. A test method for directory access control function of a trusted SIS system according to claim 6, characterized in that, The relevant security events in the security audit log include policy configuration data, access denial data, and file modification attempt data.
8. A test method for directory access control function of a SIS trusted system according to claim 6, characterized in that, The verification results include event type, timestamp, source user / process, target directory, and operation result.
9. A test system for directory access control function of a SIS trusted system, characterized in that, include: The parameter acquisition module is used to obtain the configuration file of the trusted computer and obtain the test parameters for directory access control based on the configuration file of the trusted computer. The log generation module is used to start a trusted computer to execute test instructions and generate security audit logs when the trusted computer executes test instructions. The log verification module is used to verify security audit logs and output the verification results as a structured document. The output module is used to upload test reports based on structured documents.
10. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the test method for the directory access control function of a trusted SIS system as described in any one of claims 1 to 8.