CN106850590A - Software white list management method and system - Google Patents
Software white list management method and system Download PDFInfo
- Publication number
- CN106850590A CN106850590A CN201710024732.8A CN201710024732A CN106850590A CN 106850590 A CN106850590 A CN 106850590A CN 201710024732 A CN201710024732 A CN 201710024732A CN 106850590 A CN106850590 A CN 106850590A
- Authority
- CN
- China
- Prior art keywords
- software
- installation
- equipment
- strategy
- examined
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 40
- 238000012795 verification Methods 0.000 claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000009434 installation Methods 0.000 claims description 21
- 238000004458 analytical method Methods 0.000 claims description 8
- 238000007619 statistical method Methods 0.000 claims description 5
- 238000010835 comparative analysis Methods 0.000 claims description 3
- 235000013399 edible fruits Nutrition 0.000 claims 1
- 230000008569 process Effects 0.000 description 16
- 239000000523 sample Substances 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 4
- 230000032683 aging Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 238000011900 installation process Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000004080 punching Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Stored Programmes (AREA)
Abstract
The present invention is on a kind of software white list management method and system, the method is according to the device type that equipment is examined in software white list verification task, for tested equipment distribution software white list verifies perform script, then, according to the log-on message of examined equipment, log in examined equipment and above-mentioned software white list verification perform script is sent to examined equipment, finally, installation software in the script implementing result that examined equipment is returned is contrasted with software installation policy library, obtains each verification result for installing software in tested equipment.The method that the present embodiment is provided, is service-oriented device end equipment, not only ensure that the security of data in network, and also having filled up carries out the blank of terminal software management in server end;Secondly, the present embodiment checked by the way of logging device, perform script, offline analytic sets result, without installing client software on managed device or starting service, is not only reduced device resource and is taken, it is ensured that data safety.
Description
Technical field
The present invention relates to technical field of network management, more particularly to a kind of software white list management method and system.
Background technology
With the fast development of information technology, industry-by-industry makes the rule of network all in construction information system energetically
Mould constantly expands, and the number of devices in network also quickly increases, and thing followed safety problem is also more shown in protrusion.In system and net
In the problem of the security facing of network, the software unrelated with service operation is disposed privately in terminal device, not only cause hard
The waste of part resource, influence equipment operating efficiency, can also cause the problem of significant data leakage because of data theft.
In the prior art, the management of software is installed to realize terminal device in objective network, generally on the terminal device
Deploying client inspection software.Using white list technology, be added to for credible, safe application program white by client inspection software
In list, and in real-time monitoring terminal equipment installation and operation software, the only application program in white list could run, in vain
Application program beyond list can not be run on the terminal device.Fig. 1 is software white list management system of the prior art
Deployment configuration diagram.As shown in figure 1, the management system is included server 10, is connected with server 10 by interchanger 20
Multiple terminal devices 30, wherein, the major function of server 10 includes formulating software white list strategy;It is deployed in terminal device
Client inspection software on 30 is from the synchronizing software white list strategy of server 10, and the installation obtained on terminal device 30 is soft
Part list, and the software matrix of acquisition is contrasted with software white list strategy, if it find that the software installed in violation of rules and regulations, then enter
Row associated safety is pointed out.Further, since terminal device more than 30 is using windows desktop version operating system, so, client detection
Software is mostly by WMI (Windows Management Instrumentation, Windows management regulation) and terminal device
Operating system in 30 is interacted.
However, above-mentioned software white list management system needs the installation client detection on the terminal device 30 by management and control soft
Part, the internal hardware resources of the operation meeting occupied terminal equipment 30 of the client inspection software, therefore can be to terminal device 30
Runnability is affected greatly;In addition, the source code of above-mentioned client inspection software operation is typically hiding to user, because
This, it is understood that there may be software vendors steal the situation of data using the client inspection software, increased the risk of leaking data.
The content of the invention
To overcome problem present in correlation technique, the present invention to provide a kind of software white list management method and system.
First aspect according to embodiments of the present invention, there is provided a kind of software white list management method, the method includes:
Obtain the log-on message of the examined equipment and the examined equipment in software white list verification task;
It is that the tested equipment distributes corresponding software white list verification execution according to the device type of the tested equipment
Script;
According to the log-on message of the examined equipment, the examined equipment is logged in and by the software white list core
Look into perform script and be sent to the examined equipment;
Obtain the examined equipment and the script implementing result that perform script is returned is verified according to the software white list;
Installation software information in the script implementing result and the software installation policy library of the examined equipment are entered
Row comparative analysis, each strategy for installing software verifies result in obtaining the tested equipment.
Alternatively, each strategy for installing software is verified after result in obtaining the tested equipment, and methods described also includes:
Slave unit dimension and software dimension, statistical analysis is carried out to each strategy verification result for installing software respectively.
Alternatively, the method for building up of the software installation policy library includes:
According to the device type of the tested equipment, multiple system versions of the device type respective operations system are entered
Row is maximized to be installed;
Gathering the multiple system version carries out corresponding default installation software after maximization installation;
The policing type of the default installation software is positioned to allow for install;
The policing type of the default installation software and the default installation software is added to the software installation strategy
In storehouse;
And/or,
It is retrieved as the software installation strategy that the tested equipment is formulated;
The software installation strategy formulated is added in the software installation policy library;
And/or,
Result is verified according to each strategy for installing software, each unknown tactical software installed in software is obtained;
According to the policing type result of determination to the unknown tactical software, the policy class of the unknown tactical software is obtained
Type;
The policing type of the unknown tactical software and the unknown tactical software is added to the software installation strategy
In storehouse.
Alternatively, the software installation strategy that the tested equipment is formulated is retrieved as, including:
Operation system software installation strategy and device personality software installation plan that the tested equipment is formulated are retrieved as respectively
Slightly;
Using the operation system software installation strategy as the software installation strategy formulated;
Judge that the device personality software installation strategy whether there is with the operation system software installation strategy to conflict;
If there is conflict, then the device personality software installation strategy is abandoned;
Otherwise, using the device personality software installation strategy as the software installation strategy formulated.
Alternatively, according to the log-on message of the examined equipment, the examined equipment is logged in and by the software
White list is verified perform script and is sent to the examined equipment, including:
The verification obtained in the software white list verification task performs time and verification cycle;
According to the log-on message of the verification execution time, the verification cycle and the examined equipment, periodicity
The login examined equipment and by the software white list verification perform script be sent to the examined equipment.
Alternatively, obtain the examined equipment and the script execution that perform script is returned is verified according to the software white list
As a result, including:
Judge whether that receive the examined equipment verifies the script that perform script is returned according to the software white list
Implementing result;
If received, the instruction of the examined equipment of logging off is generated.
Alternatively, by the software installation plan for installing software information and the examined equipment in the script implementing result
Slightly storehouse is analyzed, and each strategy for installing software verifies result in obtaining the tested equipment, including:
The script implementing result is analyzed, the installation software matrix in the tested equipment is obtained;
The software installation strategy for installing software and the examined equipment that will be included in the installation software matrix successively
Storehouse is analyzed, and each strategy for installing software verifies result in obtaining the tested equipment.
Alternatively, the software of installing that will be included in the installation software matrix successively is pacified with the software of the examined equipment
Dress policy library is analyzed, and each strategy for installing software verifies result in obtaining the tested equipment, including:
Judge whether the installation software included in the installation software matrix can be in the software of the examined equipment successively
Operation system substrategy library lookup in mounting strategy storehouse is to identical software;
If it is, the mounting strategy of the installation software stored in obtaining the operation system substrategy storehouse;
Otherwise, then judge whether the installation software can be in the equipment in the software installation policy library of the examined equipment
Individual character substrategy library lookup is to identical software;
If it is, the mounting strategy of the installation software stored in obtaining the device personality substrategy storehouse;
Otherwise, then the installation software is judged to unknown tactical software.
Second aspect according to embodiments of the present invention, additionally provides a kind of software white list management system, and the system includes:
Apparatus information acquiring module:For obtaining the examined equipment in software white list verification task and described tested
Look into the log-on message of equipment;
Perform script distribute module:It is the tested equipment distribution phase for the device type according to the tested equipment
The software white list answered verifies perform script;
Perform script sending module:For the log-on message according to the examined equipment, the examined equipment is logged in
And software white list verification perform script is sent to the examined equipment;
Implementing result acquisition module:Perform script is verified according to the software white list for obtaining the examined equipment
The script implementing result of return;
Verify result acquisition module:For the installation software information in the script implementing result to be set with described being examined
Standby software installation policy library is analyzed, and each strategy for installing software verifies result in obtaining the tested equipment.
Alternatively, the system also includes:
Verify result presentation module:For distinguishing slave unit dimension and software dimension, to each strategy for installing software
Verifying result carries out statistical analysis.
From above technical scheme, a kind of software white list management method provided in an embodiment of the present invention and system should
The device type of examined equipment of the method in software white list verification task, is tested equipment distribution software white list core
Perform script is looked into, then, according to the log-on message of examined equipment, examined equipment is logged in and is verified above-mentioned software white list
Perform script is sent to examined equipment, finally, the installation software information in the script implementing result that examined equipment is returned
It is analyzed with the software installation policy library for pre-building, each strategy for installing software verifies knot in obtaining tested equipment
Really.Management method provided in an embodiment of the present invention and system, are that service-oriented device end equipment carries out software white list management, service
Device end equipment is generally the nucleus equipment for carrying important service, therefore, the security of data in network is not only ensure that, also fill up
The blank of operating system software white list management is carried out in server end;Secondly, the embodiment of the present invention is using logging device, execution
Script, the mode of offline parsing collection result checked, equipment is only connected when needing to check, it is not necessary to set by pipe
It is standby it is upper any client software is installed or starts any service, and script is increasing income property file, all data that ensure
Security, light-weight technologg is carried out additionally by data acquisition script, and great amount of hardware resources will not be taken in implementation procedure, whole
Influence very little of the individual gatherer process to examined equipment.Finally, the embodiment of the present invention is automatic using the type according to tested equipment
Corresponding data acquisition script is matched, the shortcoming that traditional software white list only supports Windows operating system is compensate for, be increased
Support to Unix classes and Linux type operating systems, greatly enriches the device type of software white list product support.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary and explanatory, not
Can the limitation present invention.
Brief description of the drawings
Accompanying drawing herein is merged in specification and constitutes the part of this specification, shows and meets implementation of the invention
Example, and be used to explain principle of the invention together with specification.
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, for those of ordinary skill in the art
Speech, without having to pay creative labor, can also obtain other accompanying drawings according to these accompanying drawings.
Fig. 1 is the deployment configuration diagram of software white list management system of the prior art;
Fig. 2 is the deployment configuration diagram of software white list management system provided in an embodiment of the present invention;
Fig. 3 is a kind of schematic flow sheet of software white list management method provided in an embodiment of the present invention;
Fig. 4 is that the flow that mounting strategy analysis is carried out to respectively installing software in tested equipment provided in an embodiment of the present invention is shown
It is intended to;
Fig. 5 is the schematic flow sheet of the method for building up of software installation policy library provided in an embodiment of the present invention;
Fig. 6 is a kind of basic structure schematic diagram of software white list management system provided in an embodiment of the present invention.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in implementation method do not represent and the consistent all implementation methods of the present invention.Conversely, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
Need to be arranged on the problem triggered on tested measurement equipment, this hair for client inspection software of the prior art
The software white list management method that bright embodiment is provided, the clothes that the verification function that software is installed in terminal will be moved in network
Business device end.Fig. 2 is the deployment configuration diagram of software white list management system provided in an embodiment of the present invention, as shown in Fig. 2 first
First, Sever servers 10 using the terminal device 30 that prestores equipment log-on message (such as user name, password, access port
Deng) registration terminal equipment 30, further, because the terminal device in most enterprises net has all carried out net according to operation system
Network is isolated, it is possible that there is a problem of that Server servers 10 can not directly access terminal device, for this problem, the present invention
Embodiment is also deployed with Probe (collection) server 40, i.e. Server servers 10 by handing in each operation system
20 are changed planes with each Probe servers 40, each Probe servers 40 are connected with the terminal device 30 in its affiliated operation system;So
Afterwards, control terminal equipment 30 performs the software white list verification perform script that Sever servers 10 send, with control terminal for data acquisition
The installation software information of equipment 30;Finally, Server servers 10 are collected by contrast installation software information and finger in advance
The mounting strategy set, obtains the software with the presence or absence of violation installation and operation on terminal device 30, and then solve needs at end
The problem of client software is installed in end equipment.It should be noted that in the specific implementation, Server servers 10 can also lead to
Interchanger 20 is crossed directly to be connected with terminal device 30.Management method provided in an embodiment of the present invention will be in detail situated between below
Continue.
Fig. 3 is a kind of schematic flow sheet of software white list management method provided in an embodiment of the present invention, is applied to Fig. 2's
Server servers in management system.As shown in figure 3, the method specifically includes following steps:
S110:Obtain the login letter of the examined equipment and the examined equipment in software white list verification task
Breath.
Specifically, user in Server server ends selection software white list management system equipment to be checked and
Between at the beginning of setting verification task, after the information such as end time and execution cycle, just complete software white list and verify and appoint
That is engaged in sets up process.What Server servers obtained in the software white list verification task that user establishes first examined sets
It is standby, then, the default mark (such as ID identity) according to examined equipment, in the equipment log-on message storehouse for pre-building
In, search the log-on message of the examined equipment.
S120:It is that the tested equipment distributes corresponding software white list core according to the device type of the tested equipment
Look into perform script.
Specifically, in the embodiment of the present invention software white list verify perform script according to device type, (such as Windows sets
Standby, Redhat equipment etc.) write respectively, the equipment class of examined equipment of the Server servers according to selected in verification task
Type, the corresponding software white list of Auto-matching verifies perform script.
S130:According to the log-on message of the examined equipment, the examined equipment and software is white is logged in
List is verified perform script and is sent to the examined equipment.
Specifically, the log-on message of examined equipment is sent to corresponding Probe servers by Server servers,
Probe servers concurrently set up the network connection of examined equipment using distributed mode, wherein, with examined equipment
Network connection can support various connection protocols (such as Telnet remote terminal protocols, SSH containments agreement and RDP remote desktops
Agreement etc.), complete the login of examined equipment;Then, Probe servers are by the software white list core from Server servers
Look into perform script and be sent to examined equipment.
In addition, in order to ensure the ageing of inspection, the embodiment of the present invention is additionally provided is stepped on by the way of periodic task
The examined equipment of record, specifically includes following steps:
S131:The verification obtained in the software white list verification task performs time and verification cycle.
Wherein, proof cycle can be according to actual need such as the operation systems and the significance level of device type belonging to tested equipment
Ask and flexibly set.
S132:According to the log-on message of the verification execution time, the verification cycle and the examined equipment, week
The login examined equipment of phase property and by the software white list verification perform script be sent to the examined equipment.
Can ensure to check in the form of periodic task logs in examined equipment and collecting device information by above-mentioned
The frequency, on the premise of client software is not installed, it is ensured that inspection result it is ageing.
S140:Obtain the examined equipment and knot is performed according to the script that the software white list verifies perform script return
Really.
The embodiment of the present invention is analyzed using offline mode to script implementing result, i.e., only needing to gather detected setting
Connection examined equipment during standby information.
Specifically, comprising the following steps:
S141:Judge whether that receive the examined equipment verifies what perform script was returned according to the software white list
Script implementing result.
Wherein, it is examined equipment and performs the content that software white list is verified in perform script, and script implementing result is sent out
Probe servers are given, Server servers are then sent to by Probe servers again and database is saved in.
S142:If received, the instruction of the examined equipment of logging off is generated.
After Server servers receive script implementing result, the finger of the examined equipment of logging off will be generated
Order, and the instruction is sent to Probe servers, so that Probe servers disconnect the network connection with examined equipment.Pass through
Above- mentioned information acquisition mode, it is not necessary to install any client software in the examined equipment or start any service, enter
And it is effectively reduced the resource occupation to being examined equipment.
Further, above-mentioned script implementing result includes the software information installed in examined equipment, can also include quilt
Check the information such as port, the process of startup, the service of operation of opening of device.
S150:By the software installation strategy for installing software information and the examined equipment in the script implementing result
Storehouse is analyzed, and each strategy for installing software verifies result in obtaining the tested equipment.
Specifically, first, being analyzed to the script implementing result, the installation software matrix in tested equipment is obtained;
Then, the installation software included in the installation software matrix is entered with the software installation policy library of the examined equipment successively
Row comparative analysis, each strategy for installing software verifies result in obtaining the tested equipment.
The software white list in the embodiment of the present invention will be verified and is performed by taking the examined equipment of separate unit CentOS as an example below
Script and script implementing result are illustrated, and are that partial software white list verifies perform script and right as shown in Table 1
The script implementing result answered.
Table one:
By the analysis to table one, it can be deduced that the software matrix installed in the CentOS equipment, as shown in following table two:
Table two:
| Sequence number | Dbase |
| 1 | telnet |
| 2 | gnome-desktop |
| 3 | openssh |
Software installation policy library is divided into two kinds by the embodiment of the present invention:Operation system substrategy storehouse and device personality substrategy
Storehouse, wherein, operation system substrategy storehouse is set in units of operation system, and all devices in the operation system are required to
Meet the strategy;Device personality substrategy storehouse is set in units of single device, it is only necessary to which the equipment meets strategy.
Therefore, the software installation for installing software and the examined equipment that will be included in the installation software matrix successively
Policy library is analyzed, and obtains the process of each strategy verification result for installing software in the tested equipment, and the present invention is real
Example is applied there is provided following steps, is illustrated in figure 4 provided in an embodiment of the present invention to respectively installation software is pacified in tested equipment
Fill the schematic flow sheet of analysis of strategies.
S151:Judge whether the installation software included in the installation software matrix can be in the examined equipment successively
Operation system substrategy library lookup in software installation policy library is to identical software.
Due to operation system strategy have priority higher, so, in comparison process preferentially with operation system substrategy
Storehouse is compared, and judges whether to match with the software preserved in operation system substrategy storehouse.If it is judged that be "Yes", then
Step S152 is jumped to, policing type judgement is carried out;If it is judged that being "No", then step S153 is jumped to, judged whether
Matching unit individual character strategy.
S152:If it is, the mounting strategy of the installation software stored in obtaining the operation system substrategy storehouse.
Wherein, mounting strategy species is divided into two classes:Forbid mounting strategy and allow mounting strategy, if the strategy for matching
Species is " forbidding installing ", then obtain judged result for " violation " software, conversely, the tactful species for matching is " to allow peace
Dress ", then obtain judged result for " normal " software.
S153:Otherwise, then judge whether the installation software can be in the software installation policy library of the examined equipment
Device personality substrategy library lookup to identical software.
If if operation system strategy is without the match is successful, carrying out the matching unit individual character strategy in this step, sentence
It is disconnected whether with device personality strategy matching.If it is judged that being "Yes", then step S154 is jumped to, carry out policing type and sentence
It is disconnected;If it is judged that being "No", then judged result in S155 is obtained.
S154:If it is, the mounting strategy of the installation software stored in obtaining the device personality substrategy storehouse.
Likewise, the mounting strategy species in device personality substrategy storehouse is also classified into two classes:Forbid mounting strategy and permission
Mounting strategy, if the tactful species for matching is " forbidding installing ", obtains judged result for " violation " software, conversely,
The tactful species being fitted on is " allowing to install ", then obtain judged result for " normal " software.
S155:Otherwise, then the installation software is judged to unknown tactical software.
It is soft that the software not matched in operation system substrategy storehouse and device personality substrategy storehouse is unknown strategy
Part.The verification result of each installation software in software matrix is installed by collecting, the installation in tested equipment just can be obtained
The verification result of software.
With reference to the installation software matrix obtained in table two, will be illustrated to comparing analysis process below, it is assumed that should
Software installation strategy in CentOS equipment is following table three:
Table three:
Installation software in the software installation list of table two is compared with the Policy List one by one, is found wherein in violation of rules and regulations
The software of installation, comparison process is specific as follows:
1) the first data telnet in software installation list is obtained, is searched in software installation policy library and searched one by one,
It was found that the 1st article of strategy is that all of CentOS equipment forbids installing telnet in operation system-A, obtain a result as the equipment
Telnet softwares are installed in violation of rules and regulations;
2) obtain software installation list in the second data gnome-desktop, searched in software installation policy library by
Bar is searched, it is found that the 2nd article of strategy is that all of CentOS equipment forbids installing gnome-desktop in operation system-A, is obtained
Go out result for the equipment installs gnome-desktop softwares in violation of rules and regulations;
3) Article 3 data openssh in software installation list is obtained, is searched in software installation policy library and searched one by one,
It was found that the 3rd article of strategy is that all of CentOS equipment allows to install openssh in operation system-A, obtain a result as the equipment
It is normal to install openssh softwares.
By above-mentioned than analyzing, the verification result such as institute of following table four of the installation software in the CentOS equipment just can be obtained
Show:
Table four:
| Sequence number | Dbase | Verify result |
| 1 | telnet | Install in violation of rules and regulations |
| 2 | gnome-desktop | Install in violation of rules and regulations |
| 3 | openssh | Normal mounting |
Further, obtained in tested equipment after each strategy verification result for installing software, to realize in step S150
The various dimensions displaying of software is installed in examined equipment, is easy to subsequent network administrative staff targetedly to carry out network whole
Change, the embodiment of the present invention additionally provides following steps:
S160:Slave unit dimension and software dimension, verify result and count to each strategy for installing software respectively
Analysis.
Specifically, slave unit dimension shows quantity and Verbose Listing that software is installed in the examined equipment, normal peace
The amount of software and Verbose Listing of dress, install in violation of rules and regulations amount of software and Verbose Listing and, unknown amount of software and Verbose Listing;
And, show installation number of times, quilt of certain software on all devices in the network residing for examined equipment from software dimension
Judge the number of devices and Verbose Listing of non-normal mounting, be judged as the number of devices installed in violation of rules and regulations and Verbose Listing and
It is judged as unknown number of devices and Verbose Listing.
In embodiments of the present invention, in software installation policy library in have three main sources:First, it is at the beginning of product
In stage beginning, all types of pure operating systems are installed by maximizing, gather default software therein, be built into product
In, as the software strategy for allowing to install;Secondly, it is that system user and keeper formulate software installation plan according to actual conditions
Slightly, such as need to set up the strategy for allowing Oracle, DB2, PostreSQL running software, network service in database server
Need to set up the strategy for allowing the running softwares such as Websphere, Weblogic, Tomcat in device;Both the above mode is all
System or system user actively addition software white list strategy, be finally the verification result according to step S150, find allow and
Forbid the unknown software beyond the software strategy installed, and unknown software is confirmed, the process of confirmation is establishment strategy
Process.
Below by by taking the tested measurement equipment in the embodiment of the present invention as an example, the process of setting up to software installation policy library is carried out
It is discussed in detail.Fig. 5 is the schematic flow sheet of the method for building up of software installation policy library provided in an embodiment of the present invention, such as Fig. 5 institutes
Show, specifically include following steps:
S211:According to the device type of the tested equipment, by multiple systems of the device type respective operations system
Version carries out maximization installation.
The process is illustrated by taking CentOS6.6 as an example, multiple versions of CentOS6.6 operating systems are carried out most on bare machine
Bigization install, when installation process proceed to selection install applying step when, will apply, fundamental system, database, desktop, exploitation
The nodes such as instrument, high availability, language, load balancing, elastic storage, server, system administration, virtualization and web services
Under all component, more than 4000 installation kits, carry out maximization installation altogether.For setting up in software white list checking system it
The software installation policy library of its device type and operating system is also used to be installed with upper type, and the present embodiment is herein no longer
Repeat.
S212:Gathering the multiple system version carries out corresponding default installation software after maximization installation.
After the installation of step S211 completion systems, start-up operation system gathers the software matrix of default installation.
S213:The policing type of the default installation software is positioned to allow for install.
Further, all CentOS6.6 equipment can also be selected in software white list checking system, be equipment in batches
Addition strategy, it is allowed to install the software of all default installations.Likewise, miscellaneous equipment type and operating system can also use phase
Gathered with mode.
S214:The policing type of the default installation software and the default installation software is added to the software installation
In policy library.
Using aforesaid operations step, just can complete that all types of pure operating systems are installed by maximization in policy library
, be introduced for the process for formulating user software installation strategy as needed below by the strategy addition of mode, wherein, by user
Software installation strategy is added in software white list checking system, can be used and be added strategy and according to specifically setting according to operation system
The standby tactful two ways of addition, it is specific as follows:
S221:It is retrieved as the operation system software installation strategy that the tested equipment is formulated.
User's addition operation system software installation strategy is obtained, the software of addition and the installation plan of the software is specifically included
Slightly, and under the operation system all of terminal device batch add the strategy.
S222:Using the operation system software installation strategy as the software installation strategy formulated.
S223:The software installation strategy formulated is added in the software installation policy library.
S224:It is retrieved as the device personality software installation strategy that the tested equipment is formulated.
S225:Judge the device personality software installation strategy with the operation system software installation strategy with the presence or absence of punching
It is prominent.
Because operation system strategy has high priority, it is necessary to elder generation and operation system during the specific equipment mounting strategy of addition
Strategy is compared, and if there is no conflict, then performs step S226, otherwise, then abandons the device personality software installation strategy.
S226:Using the device personality software installation strategy as the software installation strategy formulated.
Also, step S223 is continued executing with, the software installation strategy formulated is added to the software installation strategy
In storehouse.
Using aforesaid operations step, the strategy that just can complete to formulate software installation strategy by user in policy library adds
Plus, the process that result designated mounting strategy is verified according to software will be introduced below.
S231:Result is verified according to each strategy for installing software, each unknown strategy installed in software is obtained
Software.
S232:According to the policing type result of determination to the unknown tactical software, the unknown tactical software is obtained
Policing type.
Contained in the verification result of the software white list of step S150 without the unknown software of policy definition, this portion
Component software just can generate the strategy for allowing to install or forbid installation by the confirmation process of keeper.
S233:The policing type of the unknown tactical software and the unknown tactical software is added to the software installation
In policy library.
Software white list management method provided in an embodiment of the present invention, first, it is white that service-oriented device end equipment carries out software
Name menu manager, server-side devices are generally the nucleus equipment for carrying important service, and its purposes is fixed and single-minded, will not generally disposed
The software unrelated with carried business, not only ensure that the security of data in network, has also filled up and has been grasped in server end
Make the blank of systems soft ware white list management;Secondly, the embodiment of the present invention is used and sends collection script to examined terminal device
Mode, according to the type of tested equipment, the corresponding data acquisition script of Auto-matching compensate for traditional software white list and only prop up
The shortcoming of Windows operating system is held, the support to Unix classes and Linux type operating systems is increased, greatly enriched soft
The device type of part white list product support;Finally, the embodiment of the present invention is using logging device, execution collection script, offline solution
Analyse collection result mode checked, only need check when connect equipment, it is not necessary on managed device install times
What client software starts any service, and carries out light-weight technologg by data acquisition script, in implementation procedure
Great amount of hardware resources, influence very little of the whole gatherer process to examined equipment will not be taken.
Therefore, the software white list management method for being provided using the present embodiment, terminal in the management system that can be become more meticulous
The software of its upper side administration, it is accurate to grasp the software information run on terminal device, positioning install in violation of rules and regulations with service operation without
The software of pass, it is ensured that server operate in most efficiently in the state of, it is promoted the use of on a large scale can rapidly improve information system
The security of system, is that the safety of guarantee information system is taken a firm foundation.
Corresponding to above-mentioned software white list management method, the embodiment of the present invention additionally provides a kind of software white list management system
System.Fig. 6 is a kind of basic structure schematic diagram of software white list management system provided in an embodiment of the present invention, as shown in Figure 6 should
System mainly includes:
Apparatus information acquiring module 610:For obtaining the examined equipment in software white list verification task and described
The log-on message of examined equipment.
Perform script distribute module 620:It is the tested equipment distribution for the device type according to the tested equipment
Corresponding software white list verifies perform script.
Perform script sending module 630:For the log-on message according to the examined equipment, log in described being examined and set
The examined equipment is sent to for and by software white list verification perform script.
Implementing result acquisition module 640:Execution is verified according to the software white list for obtaining the examined equipment
The script implementing result that script is returned.
Verify result acquisition module 650:For the installation software information in the script implementing result is tested with described
The software installation policy library for looking into equipment is analyzed, and each strategy for installing software verifies knot in obtaining the tested equipment
Really.
Further, the system also includes:
Verify result presentation module 660:For distinguishing slave unit dimension and software dimension, to each plan for installing software
Slightly verifying result carries out statistical analysis.
Further, the system also sets up module 670 including software installation strategy, for setting up software installation strategy
Storehouse, wherein, the module is specifically included:
System installs submodule 671:For the device type according to the tested equipment, device type correspondence is grasped
The multiple system versions for making system carry out maximization installation.
Software collection submodule 672 is installed:For gather the multiple system version carry out it is corresponding after maximization installation
Default installation software.
Mounting strategy sets submodule 673:For the policing type of the default installation software to be positioned to allow for install.
First strategy addition submodule 674:For by the strategy of the default installation software and the default installation software
Type is added in the software installation policy library.
And/or,
Specify strategy acquisition submodule 674:For being retrieved as the software installation strategy that the tested equipment is formulated.
Specifically include, the operation system software installation strategy and device personality that the tested equipment formulation is retrieved as respectively are soft
Part mounting strategy;Using the operation system software installation strategy as the software installation strategy formulated;Judge the device personality
Software installation strategy, with the presence or absence of conflicting, if there is conflict, then abandons described setting with the operation system software installation strategy
Standby personality software mounting strategy, otherwise, using the device personality software installation strategy as the software installation strategy formulated.
Second strategy addition submodule 676:For the software installation strategy formulated to be added into the software installation
In policy library.
And/or,
Unknown software acquisition submodule 677:For verifying result according to each strategy for installing software, obtain each described
Unknown tactical software in software is installed.
Policing type acquisition submodule 678:For basis to the policing type result of determination of the unknown tactical software, obtain
To the policing type of the unknown tactical software.
3rd strategy addition submodule 679:For by the strategy of the unknown tactical software and the unknown tactical software
Type is added in the software installation policy library.
Software white list management system provided in an embodiment of the present invention, first, it is white that service-oriented device end equipment carries out software
Name menu manager, server-side devices are generally the nucleus equipment for carrying important service, and its purposes is fixed and single-minded, will not generally disposed
The software unrelated with carried business, not only ensure that the security of data in network, has also filled up and has been grasped in server end
Make the blank of systems soft ware white list management;Secondly, the embodiment of the present invention is used and sends collection script to examined terminal device
Mode, according to the type of tested equipment, the corresponding data acquisition script of Auto-matching compensate for traditional software white list and only prop up
The shortcoming of Windows operating system is held, the support to Unix classes and Linux type operating systems is increased, greatly enriched soft
The device type of part white list product support;Finally, the embodiment of the present invention is using logging device, execution collection script, offline solution
Analyse collection result mode checked, only need check when connect equipment, it is not necessary on managed device install times
What client software starts any service, and carries out light-weight technologg by data acquisition script, in implementation procedure
Great amount of hardware resources, influence very little of the whole gatherer process to examined equipment will not be taken.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for system or
For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method
The part explanation of embodiment.System and system embodiment described above is only schematical, wherein as separation
The unit of part description can be or may not be it is physically separate, the part shown as unit can be or
Can not be physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Some or all of module therein is selected the need for border to realize the purpose of this embodiment scheme.Those of ordinary skill in the art
Without creative efforts, you can to understand and implement.
The above is only specific embodiment of the invention, it is noted that come for those skilled in the art
Say, under the premise without departing from the principles of the invention, can also make some improvements and modifications, these improvements and modifications also should be regarded as
Protection scope of the present invention.
Claims (10)
1. a kind of software white list management method, it is characterised in that including:
Obtain the log-on message of the examined equipment and the examined equipment in software white list verification task;
It is that the tested equipment distributes corresponding software white list verification execution pin according to the device type of the tested equipment
This;
According to the log-on message of the examined equipment, log in the examined equipment and verify the software white list and hold
Traveling far and wide the examined equipment of be originally sent to;
Obtain the examined equipment and the script implementing result that perform script is returned is verified according to the software white list;
It is right that installation software information in the script implementing result is carried out with the software installation policy library of the examined equipment
Than analysis, each strategy for installing software verifies result in obtaining the tested equipment.
2. method according to claim 1, it is characterised in that obtain each tactful core for installing software in the tested equipment
Come to an end after fruit, methods described also includes:
Slave unit dimension and software dimension, statistical analysis is carried out to each strategy verification result for installing software respectively.
3. method according to claim 1, it is characterised in that the method for building up of the software installation policy library includes:
According to the device type of the tested equipment, multiple system versions of the device type respective operations system are carried out most
Bigization is installed;
Gathering the multiple system version carries out corresponding default installation software after maximization installation;
The policing type of the default installation software is positioned to allow for install;
The policing type of the default installation software and the default installation software is added in the software installation policy library;
And/or,
It is retrieved as the software installation strategy that the tested equipment is formulated;
The software installation strategy formulated is added in the software installation policy library;
And/or,
Result is verified according to each strategy for installing software, each unknown tactical software installed in software is obtained;
According to the policing type result of determination to the unknown tactical software, the policing type of the unknown tactical software is obtained;
The policing type of the unknown tactical software and the unknown tactical software is added in the software installation policy library.
4. method according to claim 3, it is characterised in that be retrieved as the software installation plan that the tested equipment is formulated
Omit, including:
Operation system software installation strategy and device personality software installation strategy that the tested equipment is formulated are retrieved as respectively;
Using the operation system software installation strategy as the software installation strategy formulated;
Judge that the device personality software installation strategy whether there is with the operation system software installation strategy to conflict;
If there is conflict, then the device personality software installation strategy is abandoned;
Otherwise, using the device personality software installation strategy as the software installation strategy formulated.
5. method according to claim 1, it is characterised in that according to the log-on message of the examined equipment, logs in institute
State examined equipment and software white list verification perform script is sent to the examined equipment, including:
The verification obtained in the software white list verification task performs time and verification cycle;
According to the log-on message of the verification execution time, the verification cycle and the examined equipment, periodically step on
Record the examined equipment and software white list verification perform script is sent to the examined equipment.
6. method according to claim 1, it is characterised in that obtain the examined equipment according to the software white list
The script implementing result that perform script is returned is verified, including:
Judge whether that receive the examined equipment verifies the script execution that perform script is returned according to the software white list
As a result;
If received, the instruction of the examined equipment of logging off is generated.
7. method according to claim 1, it is characterised in that by the installation software information in the script implementing result with
The software installation policy library of the examined equipment is analyzed, and obtains each strategy for installing software in the tested equipment
Result is verified, including:
The script implementing result is analyzed, the installation software matrix in the tested equipment is obtained;
The installation software included in the installation software matrix is entered with the software installation policy library of the examined equipment successively
Row comparative analysis, each strategy for installing software verifies result in obtaining the tested equipment.
8. method according to claim 7, it is characterised in that described will install the installation included in software matrix successively soft
Part is analyzed with the software installation policy library of the examined equipment, obtains respectively installing software in the tested equipment
Strategy verifies result, including:
Judge whether the installation software included in the installation software matrix can be in the software installation of the examined equipment successively
Operation system substrategy library lookup in policy library is to identical software;
If it is, the mounting strategy of the installation software stored in obtaining the operation system substrategy storehouse;
Otherwise, then judge whether the installation software can be in the device personality in the software installation policy library of the examined equipment
Substrategy library lookup is to identical software;
If it is, the mounting strategy of the installation software stored in obtaining the device personality substrategy storehouse;
Otherwise, then the installation software is judged to unknown tactical software.
9. a kind of software white list management system, it is characterised in that including:
Apparatus information acquiring module:Set for obtaining the examined equipment in software white list verification task and described being examined
Standby log-on message;
Perform script distribute module:It is that the tested equipment distribution is corresponding for the device type according to the tested equipment
Software white list verifies perform script;
Perform script sending module:For the log-on message according to the examined equipment, log in the examined equipment and
Software white list verification perform script is sent to the examined equipment;
Implementing result acquisition module:Perform script return is verified according to the software white list for obtaining the examined equipment
Script implementing result;
Verify result acquisition module:For software information and the examined equipment will to be installed in the script implementing result
Software installation policy library is analyzed, and each strategy for installing software verifies result in obtaining the tested equipment.
10. system according to claim 9, it is characterised in that the system also includes:
Verify result presentation module:For distinguishing slave unit dimension and software dimension, each strategy for installing software is verified
Result carries out statistical analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710024732.8A CN106850590B (en) | 2017-01-13 | 2017-01-13 | Software white list management method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710024732.8A CN106850590B (en) | 2017-01-13 | 2017-01-13 | Software white list management method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106850590A true CN106850590A (en) | 2017-06-13 |
| CN106850590B CN106850590B (en) | 2020-10-23 |
Family
ID=59123482
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710024732.8A Active CN106850590B (en) | 2017-01-13 | 2017-01-13 | Software white list management method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106850590B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107590200A (en) * | 2017-08-18 | 2018-01-16 | 武汉票据交易中心有限公司 | A kind of white list data management system |
| CN113918975A (en) * | 2021-10-21 | 2022-01-11 | 长城信息股份有限公司 | A whitelist management method and system for trusted computing software |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120180037A1 (en) * | 2000-05-25 | 2012-07-12 | Mccaleb Jed | Intelligent patch checker |
| CN103561006A (en) * | 2013-10-24 | 2014-02-05 | 北京奇虎科技有限公司 | Application authentication method and device and application authentication server based on Android |
| CN104410639A (en) * | 2014-12-02 | 2015-03-11 | 厦门雅迅网络股份有限公司 | Control method for mobile phone software blacklist |
| CN104573435A (en) * | 2013-10-15 | 2015-04-29 | 北京网秦天下科技有限公司 | Method for terminal authority management and terminal |
| CN105320886A (en) * | 2015-09-22 | 2016-02-10 | 北京奇虎科技有限公司 | Method for detecting malware in mobile terminal and mobile terminal |
-
2017
- 2017-01-13 CN CN201710024732.8A patent/CN106850590B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120180037A1 (en) * | 2000-05-25 | 2012-07-12 | Mccaleb Jed | Intelligent patch checker |
| CN104573435A (en) * | 2013-10-15 | 2015-04-29 | 北京网秦天下科技有限公司 | Method for terminal authority management and terminal |
| CN103561006A (en) * | 2013-10-24 | 2014-02-05 | 北京奇虎科技有限公司 | Application authentication method and device and application authentication server based on Android |
| CN104410639A (en) * | 2014-12-02 | 2015-03-11 | 厦门雅迅网络股份有限公司 | Control method for mobile phone software blacklist |
| CN105320886A (en) * | 2015-09-22 | 2016-02-10 | 北京奇虎科技有限公司 | Method for detecting malware in mobile terminal and mobile terminal |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107590200A (en) * | 2017-08-18 | 2018-01-16 | 武汉票据交易中心有限公司 | A kind of white list data management system |
| CN113918975A (en) * | 2021-10-21 | 2022-01-11 | 长城信息股份有限公司 | A whitelist management method and system for trusted computing software |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106850590B (en) | 2020-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2021200472B2 (en) | Performance monitoring of system version releases | |
| US7437614B2 (en) | Synchronization in an automated scripting framework | |
| US11652641B2 (en) | Artifact lifecycle management on a cloud computing system | |
| US8990382B2 (en) | Problem determination in distributed enterprise applications | |
| CN105760286B (en) | Application database dynamic property detection method and detection device | |
| CN112433899B (en) | Cloud server batch detection method, device, equipment and storage medium | |
| US20110276684A1 (en) | Methods and systems for discovering configuration data | |
| EP1269321A1 (en) | System, method, and article of manufacture for an automated scripting solution for enterprise testing | |
| CN105404580B (en) | Distributed pressure testing system and method | |
| US20150302077A1 (en) | Meta-directory control and evaluation of events | |
| CN105740042B (en) | The management method and management system of virutal machine memory | |
| Da Silva et al. | A science-gateway workload archive to study pilot jobs, user activity, bag of tasks, task sub-steps, and workflow executions | |
| Islam et al. | Contrasting third-party package management user experience | |
| CN111865927B (en) | Vulnerability processing method and device based on system, computer equipment and storage medium | |
| CN106850590A (en) | Software white list management method and system | |
| Krotsiani et al. | Monitoring-based certification of cloud service security | |
| WO2025189642A1 (en) | Method and apparatus for automatically generating test script | |
| CN113434382A (en) | Database performance monitoring method and device, electronic equipment and computer readable medium | |
| US20240241715A1 (en) | Isolated environment provisioning in service mesh-based microservices systems | |
| Ardagna et al. | Focse: an owa-based evaluation framework for os adoption in critical environments | |
| CN116401319B (en) | Data synchronization method and device, electronic equipment and computer readable storage medium | |
| US20060143533A1 (en) | Apparatus and system for testing of software | |
| EP3077903B1 (en) | Methods and systems for machine learning to discover application compatibility status | |
| Möllers | Domain-Driven Resilience Testing of Business-Critical Application Systems | |
| Kolb et al. | Nucleus-Unified Deployment and Management for Platform as a Service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 813, 8 / F, 34 Haidian Street, Haidian District, Beijing 100080 Applicant after: BEIJING ULTRAPOWER INFORMATION SAFETY TECHNOLOGY Co.,Ltd. Address before: 100107 Beijing city Haidian District wanquanzhuang Road No. 28 Wanliu new building block A room 604 Applicant before: BEIJING ULTRAPOWER INFORMATION SAFETY TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |