Through the integrated use of user-level top, ps, and other system tools, and the Linux kernel protection technology, we can from the user/kernel two levels a 360-degree protection for Linux system critical system process, and the security of the user process.
Classic information privacy security model Bell-LaPadula model pointed out that the process is the whole computer system of a subject, it requires a security level for the object. Process allowed under certain conditions, such as files, databases and other objects. If the process as other unlawful purpose, will bring significant harm to the system. In reality, many hackers are planting "Trojans" approach to achieve destroying the computer system and intrusion, but these "Trojan" programs without exception is needed to process this way can only be run on the machine. In addition, many destruction program and attack methods are needed to break into the target computer system for legitimate process especially critical system process, making the system cannot complete the normal work or not work, so as to achieve the destruction of the target computer system. As a server the majority market share of Linux system, it is necessary to ensure the security of the computer system, we must process monitoring and protection. User-level process monitoring tool provides a Linux system who, w, ps and top, see process information system call, by combining the use of these system calls, we can clearly understand the process of running and survival situations, to take appropriate measures to ensure the security of a Linux system. They are present in Linux the most common process status view tool, they were shipped with the Linux distribution, install the system, users can use. 1, who commands: the commands are primarily used to view the current online users. System administrators can use the who command monitor each logged-on user's actions here. 2. w command: this command is also used to display user log on to the system, and who is different, more powerful w command, it not only shows who is logged on to the system, you can also display the user's current work in progress, the w command is the one who commands enhanced Edition. 3. the PS command: this command is the most basic but also very powerful process viewer command. Use it to determine what processes are running and running state, the process is finished, the process has no dead, which processes are consuming too many resources, etc. Ps command can monitor daemon work, because the daemon is not and the on-screen keyboard to these standard input/output devices for communications, if you need to test it, you can use the PS command. 4, the top command: top command, and the fundamental role of the PS command is the same, the display system's current processes and their status, but the top is a dynamic process that can be displayed by user keys to constantly refresh the current state. If you execute the command in the foreground, it will be an exclusive reception until the user terminates the program. More specifically, the top command provides real-time status of the system processor. It can display the system CPU most "sensitive" in the task list. This command can be CPU usage, memory usage and implementation time sort tasks, and it's many features are available through the interactive command or personal customization file set. Need to focus on monitoring of processes by the above describes the Linux provides these commands can provide some information about the process, you can use to view the system status of the current process, you can identify those who consume excessive system resources, processes and end the process. They have the advantage of fast, transparent, intuitive and straightforward. The following table gives the Linux system more common important processes (not listed, you can reference the corresponding information), the user can use these tools to real-time monitoring of these important processes of the situation and take appropriate protection measures. The system calls the shortcomings we mentioned above describes the process of monitoring methods and tools are based on calls to the operating system to provide us with the appropriate API function or system calls. We have just the interface function to handle the result of not being able to take the initiative to process from the operating system kernel data structures among them, get the information we need. Thus, they have the following disadvantages: 1, traditional process monitoring method of operating efficiency is relatively low, while the reaction time is relatively long, real-time performance. 2. not able to immediately and effectively to the user report current system running the security situation, even if the system has a wrongful processes are running, the system cannot recognize. 3, can not give users capture wrongful acts provide evidence of the process and the process of the active track. When a wrongful process running and on failure, the user even if the process through to see the list of found illegal process, it is not clear whether run from the start until the capture process to such an illegal process so that a period of time, the process is what the system caused damage, for example, to access, modify, what are the important system files, which take up system resources and so on. These were later recovery and processing work created a serious problem. 4. execution of the program work in user mode, in and of itself is not secure and hacker intrusion system can easily find the process monitor disk images for deletion even replace, which will give the incalculable losses in the system. This is particularly stressed, for example, a hacker intrusion system successfully, it will be possible to implant they overwrite the PS program to replace the original system of the ps program, so that users cannot pass the tools learned that system of the currently running process, whether criminal hackers how to implant Trojan horses or other programs, users are unable to know, to take measures to stop such behaviour. It goes without saying that this is a very serious consequences. But in our following to introduce a run in the kernel process monitor, a hacker could not or hardly in-depth kernel to undermine the process control procedures, so as to enable it to better ensure their own safety. These shortcomings,We put forward in the Linux kernel implementation process real-time monitoring of the principles and techniques. This technology is divided into several steps: first, in the "clean" in the system environment, a comprehensive operation system security process, analysis, and collected in a Linux environment these process-related information (including the process ID number, the process name, process executable image, process start time, the process of the parent process, and other key information), to form a "system security process list" as a basis for process monitoring. Then, monitor code in real time during the scheduling process to gather system information in the running process. If you find that the process is not in the list of "system security process," which is at once through a Terminal output of the process PID number, name, process executable image, information, or to alert the user via voice, waits for the user, in the waiting process, terminating the process scheduling, until the user responds (release of the process or kill the process). In a second step, if the root user (System Administrator) release of the process, you can use that process to join the "system security process list" to improve that list; if it is a normal user in the use process to allow a process, then you need the user name and identity document, and will release a record of the process as a log, so that when the super user (System Administrator) both in the audit user behavior or modify "system security process list", is a powerful basis. In addition, the system is running, if you find "system security process list" in the middle of some important processes (including kswapd, bdflush, etc.) is not running, you'll be the process of "lost" information into a file for use in the system recovery process, they are targeted to restore, depending on the circumstances, there is a need to immediately stop the recovery process, you can restore the site.
No comments:
Post a Comment