CN1175351C - Automatic SOLARIS process protecting system - Google Patents
Automatic SOLARIS process protecting system Download PDFInfo
- Publication number
- CN1175351C CN1175351C CNB011390344A CN01139034A CN1175351C CN 1175351 C CN1175351 C CN 1175351C CN B011390344 A CNB011390344 A CN B011390344A CN 01139034 A CN01139034 A CN 01139034A CN 1175351 C CN1175351 C CN 1175351C
- Authority
- CN
- China
- Prior art keywords
- module
- rule
- solaris
- automatic
- rule match
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Hardware Redundancy (AREA)
- Photovoltaic Devices (AREA)
Abstract
The present invention relates to an automatic SOLARIS process protective system, which mainly composes a performance monitoring module, a rule setup module, a rule match module and an execution module, and is set up with an automatic protection mechanism formed by protection processes, wherein the rule setup module sets automatic response rules required by rule match; the performance monitoring module monitors process operation indexes of a collecting system, and reports the process operation indexes to the rule match module; the rule match module is used for judgment processing of the operation indexes through setup rules, and transmits process operation commands to the execution module which implements start and stop operation to guarantee the normal operation of the system; the protection process is used for process monitoring protection for the modules. The automatic SOLARIS process protective system has a double automatic protection function, and the automatic SOLARIS process protective system can monitor and manage specific service processes, and can automatically restart processes which generate abnormal phenomena or are attacked to be dead; simultaneously, the automatic SOLARIS process protective system protects personal security through the automatic protection mechanism, avoids being attacked one by one and effectively solves the systematic security problem.
Description
Technical field:
The present invention relates to a kind of automatic protective system of SOLARIS platform service process, belong to field of computer technology.
Background technology:
Along with popularizing and development of infotech, more and more Duo business realizes by computer system.By the various application or the service routine that move on the computer system, people can finish a lot of work.
In all computer systems, the SOLAIRS platform becomes the preferred option of server in the computer system because of its remarkable security and network characteristic, the various value-added services that the SOLARIS system is provided are mainly realized by various processes based on the SOLARIS architectural framework, for example Apache provides services such as WWW, FTP, TELNET, Oracle provides database service, also has mail service under the SOLARIS etc.These processes, the particularly normal operation of the various service processess of running background, it is the key that guarantees available service in the SOLARIS network, in case these programs are because certain reason is out of service, certainly will cause the paralysis of system service, have influence on whole information service flow process, even can make the total system collapse.
The reason that causes these service processess normally to move mainly contain following some:
1. the logic error of service processes itself or mistake is set
2. associated process makes a mistake or coordinates mutually and goes wrong
3. the resource of process needs is not being met
4. be subjected to the attack of other processes, be forced to withdraw from
Two reasons in front internal factor that is processes wherein can only be by ROMPaq, give the program patch installing or correctly dispose and solve.For two reasons in back, then be the external factor of process, can the resource of process be guaranteed by some monitorings and control method, undesired withdraw from or the like that prevents process, these methods are called as computer processes and control and guard method.
ETrust Access Control provides the protection to process, and he has intercepted sigkill, sigstop and the sigterm signal of the process that is sent to.Protected process can normally or unusually withdraw from, but can not be killed by unauthorized user (comprising root).The abort that this has just protected the critical processes that maloperation causes has ensured the reliability of system.
LIDS (Linux Intrusion Detection System) has then protected process by the another one approach, and it can set some process " stealthy " in system, anyly can not see it per capita, but its certain existence.
More than two kinds of methods protected process not stopped by accident, but state that but can't monitoring process self, if thereby process occurred unusual and also can't deal with problems when jeopardizing other process or system by the end process.
For the running status of understanding the whole service processess in the computer system, to the influence of system resource, thereby effectively service processes is carried out control and management, itself also provides Management Information Base the SOLARIS system, by these orders can inquiry system performance index, and process controlled.
For example the PS order can be found the process number and the process title of all processes of moving in the system; The KILL order can kill the process of appointment by process number; SOLARIS also provides a performance monitoring tool, can check the CPU of system, and disk operating is interrupted, error situation, and bag that passes through or the like information, the form by figure shows, and auxiliary people understand the various performances of system.
Can realize the control and the defencive function of simple process by above order and tool system keeper, but still have following deficiency:
Utility command is carried out performance monitoring, need be than higher professional standards, and complex operation.
Pinpointing the problems needs system manager's manual operation, thereby real-time response is indifferent.
Task manager can only be monitored two major parts (CPU and internal memory) of performance, performance index to other are just powerless, if for example the HTTP request surpasses certain limit in the unit interval, IIS just may be attacked, at this moment will take appropriate measures, but, just can't find this situation by task manager.
Summary of the invention:
The objective of the invention is to above-mentioned deficiency at prior art; provide a SOLARIS server processes automatic protective system; by monitoring to the server processes correlated performance; timely discovery process self or outside hidden danger; and automatically by means such as start and stop; make server processes in the server operational process, remain normal state operation.
For realizing such purpose, in technical scheme of the present invention, the main do as one likes energy of protection system monitoring modular, rule is provided with module, rule match module and execution module are formed, and be provided with finger daemon and constitute the self-protection mechanism, performance monitoring module, rule is provided with module, rule match module and execution module all start along with the startup of service processes as the subprocess of Solaris agency service process, be subjected to simultaneously the protection of service processes again, co-ordination mutually, the Solaris agency is implanted in each monitored host/server, just begins at running background after solaris system starts; Rule is provided with between module and the rule match module carries out the Rule Information exchange by shared memory, and link to each other with the tension management center respectively, the rule match module links to each other with execution module with performance monitoring module respectively, performance monitoring module links to each other with operating system respectively with execution module, by rule module is set and receives the agent rule that the tension management center passes down, the rule base of update agent itself, and adopt new rule to carry out rule match by shared memory notification rule matching module; Performance index relevant in the performance monitoring module monitoring system with the ruuning situation of actual motion process, comprise the CPU occupation rate, memory usage, hard drive space residue situation, internal memory, the hard drive space that takies that takies when performance index that network connects and the operation of ORACLE database and be connected user situation, and the operating index of the process that monitors reported the rule match module; By the good rule of response of module settings is set by rule, the performance index that performance monitoring module was collected are carried out judgment processing by the rule match module, for the situation of offence rule, then will set according to rule, the indication execution module is handled accordingly; The order that execution module sends over according to the rule match module is implemented the operation of start and stop to the process that goes wrong, can move under normal condition to guarantee it; Finger daemon is provided with module, rule match module and execution module with performance monitoring module, rule respectively and links to each other; carry out the monitoring the process protection; in case one of them module withdraws from for some reason; finger daemon just restarts this module; simultaneity factor is also with the object of finger daemon as monitoring; withdraw from situation in case meet accident, finger daemon is restarted by execution module.
By such design, unless finger daemon and execution module withdraw from simultaneously unusually, otherwise protection system of the present invention can guarantee all to work in system always.
System of the present invention has used following core technology:
1.Solaris obtain the running state of a process method under the environment
Performance monitoring module of the present invention is by calling the running state information of obtaining system process with minor function.
Each process all has an ID who has nothing in common with each other, and system call getpid can obtain this unique process ID, and calls the ID that getppid can obtain parent process, and parent process is the process of establishment and this process of calling.
In the SOLARIS system, the operation of process and control are closely connected together with the user, the user of operation process or user's group are one of features of process, and system obtains possessory group of ID of process by calling the possessory ID that getuid can obtain process by calling getgid.
After the owner who has known process, other information (login name etc.) that getpwuid obtains the user can be called by system.
2.Solaris the method for a process of program run under the environment
Execution module of the present invention moves a process by calling with minor function.
System(string):
Originally call parameter s tring is passed to a command interpreter (being generally sh) execution, promptly string is interpreted as an order, carries out this order by sh.If parameter s tring is that a null pointer is then for checking whether command interpreter exists.This order can be with order line order same form, but since order be placed in the system call as a parameter, in the time of should noting compiling to the processing of Special Significance character.Searching of order is definition by the PATH environmental variance.The consequence that order is generated generally can not impact parent process.
Rreturn value: when parameter is null pointer, have only that rreturn value is a non-zero when command interpreter is effective.If parameter is not a null pointer, rreturn value is the rreturn value of the return state (same waitpid ()) of this order.Order invalid or grammar mistake is then returned nonzero value, performed order is terminated.
exec():
This is a system call family, comprises execl (), execv (), execle (), execve (), execlp () and execvp ().Can copy an executable module to memory space that calling process occupies, the program that the process that just is being called is carried out will not exist, and new procedures replaces its position.This is sole mode that program is performed in the unix system: be used for a new program is called in the shared internal memory of this process, and cover it, produce new internal memory process image.New program can be that executable file or SHELL criticize order.The UID and the GID that by the SUID and the SGID of file defined file are set during new process initiation are effective UID and GID.
Stop the method for a process operation under the Solaris environment:
Just can remove an operating process extremely by above two methods.
At first obtain the pid of this process by first method.
In a process, call System () function then, carry out kill<pid that solaris system provides order.
By this process of removing of killing of above two steps with regard to the energy success.
Kstat (kernel statistics faeility) storehouse is mainly used in the data acquisition of solaris system.The performance monitoring module of system obtains system performance parameter by calling the kstat storehouse.This is a storehouse that the Unix system information is provided, and it couples together the various structures (structure) of recording system information with a chained list.We at first obtain (if the failure of chain header structure by kstat_open, then system's most information can't obtain), find the module of the information of need obtaining then with kstat_lookup function search kstat chain (the kc_chain member in the chain header structure), then read the begin chain ID of the structure of access system data with the kstat_read function.This moment, we can read corresponding information with kstat_data_lookup or the chained list that travels through this structure.The difference of the two is if having only the corresponding required data (for example process number, CPU number etc.) of a node in this chained list, then can directly use kstat_data_lookup; If have more than a node (information of CPU for example, the corresponding node of CPU), kstat_data_lookup finds one promptly to return, and therefore needs the traversal chained list.If the kstat begin chain changes in the process that program is carried out, after kstat_read, call the kstat_chain_update function and upgrade.
The present invention has significant effect, when carrying out Process Protection, does not need to change the original configuration of server, does not also need original service processes is reset and revises, as long as set the title and the corresponding configuration of the process that needs protection.The present invention can monitor and manage specific service processes; can reset automatically for taking place unusual or being attacked dead process; and protected self safety by the self-protection mechanism, and avoid the danger of being broken up one by one, solved the safety problem of system effectively.
Description of drawings:
Fig. 1 is the synoptic diagram that concerns between system module, has described the structure of system and the annexation of intermodule.
Fig. 2 is self-protection mechanism's a schematic block diagram.
Fig. 3 is for calling kstat built-in function read system information process flow diagram.
Embodiment:
As shown in Figure 1, the main do as one likes energy of system of the present invention monitoring modular, rule are provided with module, rule match module and execution module and form.Rule is provided with between module and the rule match module carries out the Rule Information exchange by shared memory, and link to each other with the tension management center respectively, the rule match module links to each other with execution module with performance monitoring module respectively, and performance monitoring module links to each other with operating system respectively with execution module.
By rule module is set and is responsible for receiving the agent rule that passes under the tension management center, the rule base of update agent itself, and by the new rule of shared memory notification rule matching module; The rule match module is responsible for system alarm is reported to the tension management center.Performance monitoring module is responsible for monitoring the various performance index of collecting in the operating system, it is reported the rule match module, by the rule match module by the good rule of response of module settings is set by rule, index is carried out judgment processing, and the process operation order is delivered to execution module, implement the start stop operation of the normal operation of assurance system by execution module.
Fig. 2 is self-protection mechanism's a schematic block diagram, and the dotted line among the figure is represented the monitoring and the protection relation of process intermodule.
As shown in Figure 2, introduced a special service processes among the self-protection mechanism of the present invention---finger daemon, finger daemon are provided with module, rule match module and execution module with performance monitoring module, rule respectively and link to each other, and carry out the monitoring the process protection.In case one of them module withdraws from for some reason, finger daemon just restarts this module.Simultaneity factor also with the object of finger daemon as monitoring, withdraws from situation in case meet accident, and by execution module finger daemon is restarted.Dotted line among the figure has been represented the monitoring and the protection relation of process intermodule.
Fig. 3 is for calling kstat built-in function read system information process flow diagram.
Fig. 3 has provided the program circuit that calls kstat storehouse read system information.At first obtain (if the failure of chain header structure by kstat_open, then system's most information can't obtain), find the module of the information of need obtaining then with kstat_lookup function search kstat chain (the kc_chain member in the chain header structure), then read the begin chain ID of the structure of access system data with the kstat_read function.Can read corresponding information this moment with kstat_data_lookup or the chained list that travels through this structure.The difference of the two is if having only the corresponding required data (for example process number, CPU number etc.) of a node in this chained list, then can directly use kstat_data_lookup; If have more than a node (information of CPU for example, the corresponding node of CPU), kstat_data_lookup finds one promptly to return, and therefore needs the traversal chained list.If the kstat begin chain changes in the process that program is carried out, after kstat_read, call the kstat_chain_update function and upgrade.
In one embodiment of the invention, network environment: 100 m ethernet, hardware device: database server (SUN SPARC 450), 100 m ethernet card, operation platform: Solaris 2.6, Oracle 7.3.4.
In the database server of in-house network, implant the Solaris agency of emergency reaction subsystem.This agency is a Daemon process that operates under the Solaris environment, guarantees just to begin at running background after solaris system starts.The main mutual co-ordination of submodule such as this agency's performance monitoring module, rule match module and execution module realizes the effect of protection in-house network database server safety and performance.They all start along with the startup of service processes as the subprocess of Solaris agency service process, are subjected to the protection of service processes simultaneously again.Wherein Solaris agency's execution module is total system " a Process Protection program ", by be provided with can protection system in specific process.Agency's service processes itself then is this system " finger daemon ", protects the normal operation of execution module by it.
The Intranet of the embodiment of the invention mainly is many database servers, and all need informationalized content to be responsible for record.In order to guarantee the operate as normal of database server, particularly the operation of the oracle database in the system is normal, the Solaris agency responds the normal operation that guarantees server and database by the performance of this server performance of monitoring and oracle database by the rule of setting.
The major function that realizes is as follows:
By Solaris agency's performance monitoring module the performance of database server (is comprised the CPU occupation rate, memory usage, each volume space utilization rate, network connects busy situation, performance index such as process working condition) monitor, realize the function that on time reports.
Performance monitoring module by the Solaris agency is monitored the performance (comprising memory usage, database volume space utilization rate, performance index such as database access situation) of oracle database, realizes the function that on time reports.
Set agency's safety rule at the center, instruct the agency under what kind of situation, to offend rule, point out to offend the rule back simultaneously, also will carry out operation how except sending the warning to the center.The rule work that the rule match module that Solaris acts on behalf of is set and come synchronously according to the center realizes for offending the function that regular situation is reported to the police and instructed execution module work.
The instruction that the instruction that Solaris agency's execution module sends over according to the emergency reaction center or this agent rule matching module send over is operated accordingly, these operations comprise the specific process of start and stop (native system start and stop oracle database), restart computer system etc.
Agency's service processes monitors the ruuning situation of each function subprocess, can make processing timely for unusual function subprocess takes place, and this module of start and stop is to guarantee whole Solaris agency's normal operation.
Claims (1)
1, a kind of SOLARIS process automatic protective system, it is characterized in that main do as one likes energy monitoring modular, rule is provided with module, rule match module and execution module are formed, and be provided with finger daemon and constitute the self-protection mechanism, performance monitoring module, rule is provided with module, rule match module and execution module all start along with the startup of service processes as the subprocess of Solaris agency service process, be subjected to simultaneously the protection of service processes again, co-ordination mutually, the Solaris agency is implanted in each monitored host/server, just begins at running background after solaris system starts; Rule is provided with between module and the rule match module carries out the Rule Information exchange by shared memory, and link to each other with the tension management center respectively, the rule match module links to each other with execution module with performance monitoring module respectively, performance monitoring module links to each other with operating system respectively with execution module, by rule module is set and receives the agent rule that the tension management center passes down, the rule base of update agent itself, and adopt new rule to carry out rule match by shared memory notification rule matching module; Performance index relevant in the performance monitoring module monitoring system with the ruuning situation of actual motion process, comprise the CPU occupation rate, memory usage, hard drive space residue situation, internal memory, the hard drive space that takies that takies when performance index that network connects and the operation of ORACLE database and be connected user situation, and the operating index of the process that monitors reported the rule match module; By the good rule of response of module settings is set by rule, the performance index that performance monitoring module was collected are carried out judgment processing by the rule match module, for the situation of offence rule, then will set according to rule, the indication execution module is handled accordingly; The order that execution module sends over according to the rule match module is implemented the operation of start and stop to the process that goes wrong, can move under normal condition to guarantee it; Finger daemon is provided with module, rule match module and execution module with performance monitoring module, rule respectively and links to each other; carry out the monitoring the process protection; in case one of them module withdraws from for some reason; finger daemon just restarts this module; simultaneity factor is also with the object of finger daemon as monitoring; withdraw from situation in case meet accident, finger daemon is restarted by execution module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011390344A CN1175351C (en) | 2001-12-04 | 2001-12-04 | Automatic SOLARIS process protecting system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011390344A CN1175351C (en) | 2001-12-04 | 2001-12-04 | Automatic SOLARIS process protecting system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1349167A CN1349167A (en) | 2002-05-15 |
| CN1175351C true CN1175351C (en) | 2004-11-10 |
Family
ID=4674965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011390344A Expired - Fee Related CN1175351C (en) | 2001-12-04 | 2001-12-04 | Automatic SOLARIS process protecting system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1175351C (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100499476C (en) * | 2004-01-19 | 2009-06-10 | 南京大学 | File protection method based on user protection rule |
| CN101282242B (en) * | 2007-04-06 | 2011-01-05 | 中兴通讯股份有限公司 | System and method for monitoring service quality of telecommunication network |
| CN101299677B (en) * | 2008-04-30 | 2010-12-01 | 中兴通讯股份有限公司 | A method for multiple processes to share the same service process |
| CN102768720B (en) * | 2012-03-20 | 2019-02-22 | 新奥特(北京)视频技术有限公司 | A kind of method of Process Protection |
| CN103825752B (en) * | 2012-11-19 | 2018-04-27 | 中国银联股份有限公司 | Device and method for supervisory control system running state |
| CN104503829A (en) * | 2014-12-23 | 2015-04-08 | 北京极科极客科技有限公司 | Method for detecting and maintaining management process |
| CN104678868B (en) * | 2015-01-23 | 2017-11-10 | 贾新勇 | A kind of business and equipment O&M monitoring system |
| CN107168822B (en) * | 2017-05-08 | 2020-01-07 | 山大地纬软件股份有限公司 | Oracle streams exception recovery system and method |
| CN107678782B (en) * | 2017-09-14 | 2020-03-17 | 平安科技(深圳)有限公司 | Process protection method, device, equipment and computer readable storage medium |
| CN108549553B (en) * | 2018-03-29 | 2022-04-05 | 深圳市彬讯科技有限公司 | 3ds Max process daemon method and device based on three-dimensional model cloud manufacturing |
| CN116055285B (en) * | 2023-03-27 | 2023-06-16 | 西安热工研究院有限公司 | Process management method and system for industrial control system |
-
2001
- 2001-12-04 CN CNB011390344A patent/CN1175351C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1349167A (en) | 2002-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2417417C2 (en) | Real-time identification of resource model and resource categorisation for assistance in protecting computer network | |
| CN1175351C (en) | Automatic SOLARIS process protecting system | |
| CN1175352C (en) | Automatic WINDOWS NT course protecting system | |
| US9071637B2 (en) | Automated security analytics platform | |
| EP0831617A2 (en) | Flexible SNMP trap mechanism | |
| US20050203921A1 (en) | System for protecting database applications from unauthorized activity | |
| US20100097213A1 (en) | Security infrastructure | |
| KR20040101490A (en) | Detecting and countering malicious code in enterprise networks | |
| CA2336775A1 (en) | Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources | |
| CN114006748A (en) | Network security comprehensive monitoring method, system, equipment and storage medium | |
| CN103152352A (en) | Perfect information security and forensics monitoring method and system based on cloud computing environment | |
| US20140137241A1 (en) | Automated security analytics platform with pluggable data collection and analysis modules | |
| CN119885168B (en) | Virtual machine mirror image static scanning method and system based on super fusion platform | |
| CN1564530A (en) | Network safety guarded distributing invading detection and internal net monitoring system and method thereof | |
| CN109150853B (en) | Intrusion detection system and method based on role access control | |
| CN101056198A (en) | An information security management platform | |
| CN1417690A (en) | Application process audit platform system based on members | |
| US20060053021A1 (en) | Method for monitoring and managing an information system | |
| CN114448690B (en) | Attack organization analysis method, device, equipment and medium | |
| KR20020012855A (en) | Integrated log analysis and management system and method thereof | |
| CN113010367B (en) | Monitoring method and monitoring system for JAVA process garbage collection | |
| CN1655526A (en) | Computer network emergency response safety strategy generating system | |
| KR100846835B1 (en) | Context Language Based Security Event Correlation Analysis Apparatus and Method | |
| CN112187807A (en) | Method, device and storage medium for monitoring branch network gateway | |
| CN118820012A (en) | A terminal service availability monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20041110 Termination date: 20131204 |