阅读说明：本技术 安全配置的核查方法与系统 (Method and system for checking security configuration ) 是由 李福宜 王平 陈宏伟 于 2020-04-26 设计创作，主要内容包括：本发明公开一种安全配置核查方法与核查系统,由核查引擎以任务的方式组织核查过程,通过在线或离线的方式检测用户系统、应用服务器、数据库、网络设备等是否存在具有安全隐患的配置,并输出核查结果；其中对于无法远程交互的目标端,通过下载并上传核查工具至目标端执行获取配置信息,或者从目标端导出配置文件由核查工具解析获取配置信息。该技术方案具有以下有益效果：提高了适用性,既可以对在线设备进行核查,也可以对离线设备进行核查,并且提高了核查效率、可靠性以及易用性。(The invention discloses a security configuration checking method and a security configuration checking system.A checking engine organizes a checking process in a task mode, detects whether a user system, an application server, a database, network equipment and the like have configurations with potential safety hazards or not in an online or offline mode, and outputs a checking result; for a target terminal which cannot be remotely interacted, the configuration information is acquired by downloading and uploading the checking tool to the target terminal, or the configuration file is exported from the target terminal and is analyzed by the checking tool to acquire the configuration information. The technical scheme has the following beneficial effects: the applicability is improved, the online equipment can be checked, the offline equipment can be checked, and the checking efficiency, reliability and usability are improved.)

1. A method for verifying a security configuration, comprising:

remotely logging in a target end, executing a command for acquiring security configuration information, and generating a result file from the configuration information returned by the target end; analyzing the result file, and judging whether the security configuration of the target end is in compliance;

if the target end can not be directly remotely interacted: downloading the checking tool, copying to a target end for execution, and acquiring security configuration information;

or, exporting the configuration file from the target terminal, calling the checking tool to analyze the configuration file, and acquiring the security configuration information.

2. The configuration checking method according to claim 1, wherein before obtaining the configuration information of the target, the method further comprises establishing a security configuration rule table, each rule in the rule table specifying a legal security configuration item parameter; selecting a rule associated with the security configuration of the target terminal from the rule table according to the type of the target terminal, and establishing a checking strategy; the target end type comprises a safety device, a network device, a middleware, a database and a server;

after the configuration information of the target end is obtained, the result file is analyzed according to the checking strategy to obtain the security configuration item parameters of the target end, whether the security configuration item parameters conform to the rules of the checking strategy or not is sequentially judged, and the checking result is output to a database to be stored.

3. The configuration checking method according to claim 2, characterized in that for a target end capable of remote interaction, a checking task is created according to a checking strategy, when the checking task is started, a task execution process is created, a checking plug-in is called according to the checking strategy, and configuration information of the target end is acquired; receiving configuration information returned by a target terminal and generating a result file; analyzing the result file to obtain safety configuration information, and giving an alarm if the configuration item is inconsistent with the rule of the checking strategy;

and the checking result is stored in an XML file.

4. The configuration checking method according to claim 3,

the monitoring also comprises stopping, deleting and continuing of the monitoring task;

the task information includes: the task ID comprises a random code generated according to task creation time, the task action comprises creation, starting, stopping, deleting and continuing, the task execution mode comprises non-execution, immediate execution, timed one-time execution and timed periodic execution,

the task information further includes: the policy name or the policy ID and the target end information, wherein the target end information comprises an IP or an IP section, a target end operating system and a target end type.

5. The configuration checking method according to claim 2, wherein the security configuration rule comprises: rule number and plug-in number, rule name, rule main class and subclass, risk level and baseline requirements;

each rule corresponds to one plug-in and the plug-in number is unique, and the rule number is the same as or different from the plug-in number;

the rule main class comprises a target end type corresponding to a rule, and the rule sub class comprises at least one of a target end system type, a network equipment type, a database type and a middleware type;

the risk level indicates a corresponding risk level when the rule is violated, and the baseline requirement includes a security configuration item parameter specified by the rule.

6. The configuration checking method according to any one of claims 1 to 5, wherein the checking result comprises: the result number and the corresponding checking task number, the checked bug number, the target end IP address and the actual safety configuration information; the vulnerability number is the same as the rule number.

7. The configuration checking method according to claim 1, wherein the checking tool comprises a plug-in and/or a script, and the content comprises a rule ID and a checking command.

8. The safety configuration checking system is characterized in that a checking end is arranged and used for carrying out configuration checking on a target end to be checked, and the checking end comprises:

the checking management module is used for managing the security configuration rule, the checking strategy and the checking task; establishing a safety configuration rule table, wherein each safety configuration rule specifies a legal safety configuration item; selecting rules associated with the security configuration of the target terminal to be checked according to the information of the target terminal to be checked, and establishing a checking strategy; creating an inspection task according to an inspection strategy, acquiring safety configuration information of a target end to be inspected according to task information, analyzing to obtain safety configuration parameters, and giving an alarm if the safety configuration parameters are inconsistent with the safety configuration rules;

and the checking engine module is used for generating a result file from the configuration information acquired from the target end to be checked, calling a checking tool to analyze the result file, judging whether the safety configuration information in the file is consistent with the rule or not, and outputting the checking result to a database for storage.

9. The verification system of claim 8,

if the checking end can directly remotely interact with the target end, when the starting of the checking task is monitored, a process is created to execute the checking task, and the target end is remotely logged in to obtain safety configuration information;

if the checking end can not directly and remotely interact with the target end, downloading the checking tool from the checking end, copying and uploading to the target end to be checked for execution, acquiring the safety configuration information of the target end,

or, exporting the configuration file from the target terminal, calling the checking tool to analyze, and acquiring the security configuration information of the target terminal.

10. The checking system of claim 8, wherein the checking tool comprises a plug-in and/or a script, and the content comprises a rule ID and a checking command; and the checking result is stored in an XML file.

Technical Field

The invention belongs to the technical field of computer network security, and particularly relates to a security configuration checking method and a security configuration checking system for checking security configuration of equipment.

Background

With the widespread use of network services and applications, the security of data servers and network devices carrying these services and applications has become increasingly important. The network intrusion can be effectively blocked by using professional security equipment (such as a firewall and the like). In practice, however, the security configuration of the device by the administrator of the network device is disadvantageous, but an attacker can take the opportunity to expose the device and data to the threat, which is very likely to cause irreparable loss.

To avoid configuration deficiencies of network devices, therefore, network administrators typically check the configuration of network devices,

and carrying out security reinforcement on the network equipment which does not conform to the security configuration specification. The existing configuration checking technology has low efficiency and insufficient reliability in a manual checking mode; the method has high efficiency and good universality by sending the instruction to the target device to acquire the configuration information and then judging, but the verification method cannot be realized by relying on network realization and not allowing remote login with specific authority or being incapable of being remotely logged in due to network reasons.

Disclosure of Invention

In view of the above background, the present invention provides a method and a system for checking security configuration suitable for more scenes, which overcome the above technical problems by means of a checking task implemented in multiple ways, and the specific technical solution is as follows:

in a first aspect, a method for checking security configuration is provided, including:

remotely logging in a target end, executing a command for acquiring security configuration information, and generating a result file from the configuration information returned by the target end; analyzing the result file, and judging whether the security configuration of the target end is in compliance;

if the target end can not be directly remotely interacted: downloading the checking tool, copying to a target end for execution, and acquiring security configuration information; or, exporting the configuration file from the target terminal, calling the checking tool to analyze the configuration file, and acquiring the security configuration information.

Preferably, before the configuration information of the target end is obtained, a security configuration rule table is established, wherein each rule in the rule table specifies a legal security configuration item parameter; selecting a rule associated with the security configuration of the target terminal from the rule table according to the type of the target terminal, and establishing a checking strategy; the target end type comprises a safety device, a network device, a middleware, a database and a server.

Further, after the configuration information of the target end is obtained, the result file is analyzed according to the checking strategy to obtain the security configuration item parameters of the target end, whether the security configuration item parameters conform to the rules of the checking strategy is sequentially judged, and the checking result is output to a database to be stored.

The security configuration rules include: rule number and plug-in number, rule name, rule main class and subclass, risk level, baseline number and baseline requirement;

each rule corresponds to one plug-in and the plug-in number is unique, and the rule number is the same as or different from the plug-in number;

the rule main class comprises a target end type corresponding to a rule, and the rule sub class comprises at least one of a target end system type, a network equipment type, a database type and a middleware type;

the risk level indicates a corresponding risk level when the rule is violated, and the baseline requirement includes a security configuration item parameter specified by the rule.

On the other hand, a security configuration checking system is provided, in which a checking end is configured to perform configuration checking on a target end to be checked, and the checking end includes:

the checking management module is used for managing the security configuration rule, the checking strategy and the checking task; establishing a safety configuration rule table, wherein each safety configuration rule specifies a legal safety configuration item; selecting rules associated with the security configuration of the target terminal to be checked according to the information of the target terminal to be checked, and establishing a checking strategy; creating an inspection task according to an inspection strategy, acquiring safety configuration information of a target end to be inspected according to task information, analyzing to obtain safety configuration parameters, and giving an alarm if the safety configuration parameters are inconsistent with the safety configuration rules;

and the checking engine module is used for generating a result file from the configuration information acquired from the target end to be checked, calling a checking tool to analyze the result file, judging whether the safety configuration information in the file is consistent with the rule or not, and outputting the checking result to a database for storage.

As described above, in the security configuration checking method and system of the present invention, the checking engine organizes the checking process in a task manner, detects whether the configuration with the potential safety hazard exists in the user system, the application server, the database, the network device, etc. in an online or offline manner, and outputs the checking result; the method comprises the steps that for a target end capable of being remotely interacted, configuration information is obtained in a command executing mode; and for the target end which cannot be remotely interacted, the configuration information is acquired by downloading and uploading the checking tool to the target end, or the configuration file is exported from the target end and is analyzed by the checking tool to acquire the configuration information. The technical scheme has the following beneficial effects: the applicability is improved, the online equipment can be checked, the offline equipment can be checked, and the checking efficiency, reliability and usability are improved.

Drawings

FIG. 1 is a schematic diagram of an overall working flow of an embodiment of a security configuration checking method according to the present invention;

FIG. 2 is a block diagram of an embodiment of a security configuration checking system of the present invention;

FIG. 3 is a schematic diagram of a detailed flow of the online check in FIG. 1;

fig. 4 is a schematic diagram of a specific flow of the offline check in fig. 1.

Detailed Description

The techniques associated with configuration checking are further described first.

Generally, a provider of a network device provides a standardized device security configuration, so that a network administrator of the device configures according to the standard, sets a special verification device to customize a security configuration verification scheme for the network device, scans the security configuration of the network device through the security configuration verification scheme, and notifies the network administrator of a scanning result, thereby standardizing a configuration item of a server or the network device, and ensuring the safe and stable operation of the device. For example, one or more of the following in a scanning device configuration: default access authority, whether related protocols limit direct remote login of a super administrator user, and whether the password length, the content and the validity period of the network equipment meet the specifications or not by adopting a weak password detection technology.

However, the premise of implementing the above configuration security scan is to enable remote connection and have specific access and operation rights, but in reality, some internal networks and their network devices may prohibit remote login to the local due to security concerns, for example, by disabling remote connection services such as smb, ssh, or telnet, to limit external users or devices to scan network devices in a remote manner, which results in that security configuration scan cannot be performed on network devices, and thus, there is a security risk on devices exposed in the internet.

The following describes in detail the technical solutions of the security configuration checking method and system according to the present invention by embodiments with reference to the accompanying drawings.

As shown in fig. 1, a method for checking a security configuration includes: and establishing a security configuration rule table, selecting a rule associated with the security configuration from the security configuration rule table according to the type of the target terminal, establishing a checking strategy, and judging whether the target terminal can remotely interact.

For a target end capable of remote interaction, when monitoring that a task starts, remotely logging in the target end according to task information and executing a command for acquiring security configuration information; receiving configuration information returned by a target end;

if the remote interaction with the target end can not be directly carried out:

one is that the safety configuration information is obtained by downloading the check script and copying the script to the target end for execution; and the other method is that the configuration file is exported from the target end, and a file checking script is called to obtain the security configuration information.

Generating a result file from the security configuration information acquired in the online or offline mode; and calling a checking plug-in according to the checking strategy, analyzing the configuration information, judging whether the configuration information conforms to the rule, storing the checking result into a database, and outputting a checking report.

In a preferred embodiment, each rule in the rule table specifies a legal security configuration.

For a target end capable of remote interaction, the monitoring also comprises stopping, deleting and continuing of a monitoring task;

the task information includes: the task ID comprises a random code generated by task creation time, the task action comprises creation, starting, stopping, deleting and continuing, and the task execution mode comprises non-execution, immediate execution, timed one-time execution and timed periodic execution,

the task information further includes: the policy system comprises a policy name or a policy ID and target end information, wherein the target end information comprises an IP or an IP section, a target end operating system and a target end type, and the target end type comprises security equipment, network equipment, middleware, a database and a server.

As a preferred embodiment, the security configuration rule includes:

a rule number and a plug-in number; each rule corresponds to one plug-in unit, the number of the plug-in unit is unique, and the number of the rule is the same as or different from that of the plug-in unit;

rule name, rule main class and subclass, and target end manufacturer; the rule main class comprises a target end type corresponding to a rule, and the rule subclass comprises a target end system type, a network equipment type, a database type and a middleware type;

risk level, baseline number, baseline requirements and reinforcement scheme; the risk level represents the corresponding risk degree when the rule is violated, and the risk degree comprises information from low to high, low risk, medium risk, high risk and urgency; the baseline requirements include the security configuration items and their parameters specified by the rule; the reinforcement scheme includes the content of the rectification when the rule is violated.

The checking result comprises: the result number and the corresponding checking task number, the checked bug number, the target end IP address and the actual safety configuration information; the vulnerability number is the same as the rule number. And the checking result is stored in an XML file.

Further, if the configuration item is inconsistent with the rule of the checking strategy, an alarm is given.

As shown in fig. 2, the safety configuration checking system is configured with a checking end, configured to perform configuration checking on a target end to be checked, where the checking end includes:

the checking management module is used for managing the security configuration rule, the checking strategy and the checking task; establishing a safety configuration rule table, wherein each safety configuration rule specifies a legal safety configuration item; selecting rules associated with the security configuration of the target terminal to be checked according to the information of the target terminal to be checked, and establishing a checking strategy; creating an inspection task according to an inspection strategy, acquiring safety configuration information of a target end to be inspected according to task information, analyzing to obtain safety configuration parameters, and giving an alarm if the safety configuration parameters are inconsistent with the safety configuration rules;

and the checking engine module is used for generating a result file from the configuration information acquired from the target end to be checked, calling a checking tool to analyze the result file, judging whether the safety configuration information in the file is consistent with the rule or not, and outputting the checking result to a database for storage.

If the checking end can directly remotely interact with the target end, when the starting of the checking task is monitored, a process is created to execute the checking task, and the target end is remotely logged in to obtain safety configuration information;

if the checking end can not directly and remotely interact with the target end, downloading the checking tool from the checking end, copying and uploading to the target end to be checked for execution, acquiring the safety configuration information of the target end,

or, exporting the configuration file from the target terminal, calling the checking tool to analyze, and acquiring the security configuration information of the target terminal.

The checking tool comprises a plug-in and/or a script, and the content comprises a rule ID and a checking command; and the checking result is stored in an XML file.