UNIX host Security Management System

Abstract host-based security system is the main method to protect password-related hosts. This article introduces the design and implementation of a security management system based on UNIX hosts, and provides the overall idea and structure.
Keywords host Security UNIX System Access Control

Without considering physical protection and administrative measures, information system security mainly involves two technical issues: network system security and host system security. Network System Security mainly targets intrusion and threats from outside the information system. Host system security mainly targets unauthorized behaviors and intrusions of users in the information system, it mainly addresses operating system security, file system security, service program proxy restrictions, server isolation, output device isolation, computer process and file system scanning, time control, audit and tracking, and intrusion detection. and exception time statistics. At the same time, information security technology is also divided into static security technology and dynamic security technology. Traditional Information security technologies mainly focus on static reinforcement and protection of the system, and lack dynamic detection and response to security threats and security status, currently, the emerging Adaptive Security Model is a dynamic information security technology. It is under the control and guidance of the overall security policy, comprehensive use of protection tools and dynamic detection tools to understand and evaluate the security status of the system, and adjust the security status of the system through appropriate responses. This effectively increases the security intensity and response time of information systems.
 
 
According to the physical isolation of the password-related system from external security, most illegal, illegal, and abusive users in the Intranet are internal legal users with different access permissions. The host-based information security defense theory and technology mainly aim at the security vulnerabilities and weaknesses of operating systems and their networks, and study possible attack methods and corresponding protection policies, the dynamic security model and its implementation technology are studied. Many host systems use UNIX operating systems. On this basis, the security detection and management software for UNIX systems is developed. Basically changing the security and confidentiality of classified information systems relies only on administrative commands, and there is no technical means to guarantee the unfavorable situation.
 
I. system prototype structure
1. system design objectives
(1) Access Control: strengthen security control when users access system resources and services, and prevent illegal user intrusion and illegal access by legal users;
(2) Real-time Monitoring: monitors the running status of the system in real time, including running processes, system devices, system resources, and network services, determines the behaviors of online users, and prohibits unauthorized operations;
(3) Post-event Auditing: Tracking users' behaviors to ensure they are responsible for their own behaviors;
(4) System Vulnerability Detection: detects host system security vulnerabilities to prevent security risks caused by improper host settings.
 
2. System Design Principles
(1) security of the system itself: new security vulnerabilities cannot be caused by the security system. Therefore, a dedicated self-verification module should be provided;
(2) downgrading and usability: whether the security system is normal or not cannot significantly affect the normal operation of the host, and cannot paralyze the target application system due to security system errors;
(3) Impact on network and host system performance: it does not significantly affect normal network communication, and does not significantly affect the running efficiency of the original application software system on the host system;
(4) scalability of function modules: Because different functional modules run under different conditions, the scalability of the modules should be fully taken into account during the subject design;
(5) adaptability to the operating system version: Kernel programs of the operating system cannot be modified and can be easily transplanted to different UNIX operating systems;
(6) security of system installation and uninstallation: Installation and uninstallation cannot cause system downtime;
(7) user transparency: After installation, the user does not need any additional tedious input.
 
3. Overall system module structure
The access mode of the security system adopts the B/S structure, that is, the security administrator accesses the system through a browser. The overall structure 1 is shown.
Figure 1 Overall System Structure
 
Figure 1 Overall System Structure
 
4. Module description
(1) User Interface (UI): The security administrator manages security policies through IE and other browsers;
(2) WEB server: for WWW server, run the commands sent by the Administrator through the CGI program to save the configuration information of the security administrator to the database, perform operations such as database management and query by the security administrator. the operating system of the server is Linux;
(3) database (DB): In principle, it is a free Distributed Database (MYSQL and POSTGRE) in Linux ). The database is used to store configuration information, user records of Various hosts, and warning information;
(4) management subject (MA): connects to the database on the same host as the database and CGI programs running on the WEB server of the local machine through socket, and accesses the database at the same time, communicate with each TSA through socket. Receive configuration modifications sent by CGI, distribute the modified configuration files in the database to TSA, receive data, data requests, and alarms sent by TSA, and judge and process the received information accordingly;
(5) communication service subject (TSA): serves as the proxy communication module, which is responsible for communication between the lower-layer security proxy module and the Manager, and provides a security proxy for the agent's Unix operating system, start various Security Proxy modules, provide environment information for the SSH and Unix Network Information Security modules, and create a user environment;
(6) Secure SHELL (SSH): A Secure SHELL provided by the system administrator and common users. The security administrator configures system administrator permissions on the management interface, after obtaining the configuration file, shell restricts the operation behavior of the system administrator. At the same time, shell records the behavior of the system administrator and common users;
(7) UNIX System Analysis and status detection program: including UNIX File System Analysis and status detection module, UNIX user account status detection module, UNIX Process status detection module, and Security Policy Check module, security policy configuration module;
(8) Unix transformation command: improve some modules of the UNIX system as needed, such as the login and passwd modules.
 
Ii. User Access Control


Figure 2 User Access Control Process
The security management system introduces the permission list to enhance user management, control, and audit. User Access Control Process 2 is shown.

The user can access the host through the network and the host. When the user accesses the host through the network, the network service authentication module determines the user's IP address and access control, prohibit unauthorized IP addresses or illegal periods of time.
 
When a user passes the network service authentication module or accesses through the local machine, the user must pass the Enhanced User Authentication Module. The host operating system authenticates users by entering the user name and password to verify their correctness. Different host systems have different functions. The user authentication module strengthens and unifies the authentication process, increase the control of the user's machine time period.
After the user enters the system, the user Operation Control Module checks whether the user's operations are legal based on the user's operations and the user's permission list, and prohibits the user from performing unauthorized operations.
 
3. Policy-based security management system
The security management system focuses on multi-level security policies. The security administrator's management interface is the policy management interface, which is a complete set of rigorous rules for user behavior constraints to describe the security needs of the system, this rule specifies that all authorized access in the system is the basis for implementing access control. The system follows a certain security policy design, and its security first depends on the security policy, second, it depends on the mechanism to implement this policy.
 
 
The concept of multi-level security began in 1960s. It is a mathematical description of military security and can be defined by computers. A multi-level security computer system follows a multi-level security policy and provides a powerful mechanism to control sensitive information leakage. In the system, the process of operating on the user and on behalf of the user is called the subject. It is an entity that allows information to flow between objects. Objects are called objects, such as files and storage segments. objects are information entities, or they are entities that receive information from other subjects or objects. The subject can also be treated as an object. In a multi-level security computer system, each subject and object has a security level. The security level of the object indicates the sensitivity of the information contained in the object, the security level of the subject indicates the degree to which the subject is trusted. The security management system sets the permissions of various subjects and objects to implement multi-level security policies. Currently, the host system only provides security measures such as identity authentication, autonomous access control, and audit, introduce the force access control mechanism.
 
 
In the security management system, there are many subjects and objects. To facilitate management, the security management system can generate policy configuration information through policy templates. Policy templates focus on different functions of each host, such as file servers and WWW servers, network security policy configuration, and project computing, user management, process management, and file management. Policy templates also provide different security levels for the same functional host. After the policy configuration information is generated, the security administrator can modify the policy configuration as needed to make the security policy more suitable for different needs.
 
Iv. development platforms and tools
The host security protection management software is a distributed system architecture. Therefore, the host security management software varies according to its location and environment, user operation interface, performance requirements, and interface requirements, different development tools are used on different components.
 
 
For Console software, because it is mainly used by security administrators and system administrators, and should support network monitoring and audit queries, it has high requirement on Human-Machine Interface friendliness, performance requirements are not high. Therefore, you can use a common PC as the operating platform, a WINDOWS operating system as the system support platform, a IE browser as the graphical man-machine interface, and PHP as the programming and development tool.
 
 
For the manager system, because it mainly runs in the background, there is no direct requirement on the man-machine interface, there are certain requirements on performance and reliability, and it must meet the long-term continuous operation requirements of 7 × 24, for security protection, it must be separated from the monitored host. Therefore, you can choose Industrial PC as the operating platform, LINUX as the system support platform, MYSQL as the database management platform, and PHP as the database programming language tool.
 
 
The communication service agent program and Security full-function Detection and Control Program residing on the controlled UNIX system are not directly required for man-machine interfaces because they are mainly started automatically or in the background, however, they have high requirements on reliability and performance, and have high requirements on preventing internal attacks from hackers. Therefore, the C language is used as the development language, SOCKET technology is used for internal process communication, and encrypted identity authentication is used for computers.