Take the operation and maintenance safety audit system SSA of Jin as an example, and its products focus more on operation and maintenance safety management. It is a new generation of operation and maintenance security audit product integrating single sign-on, account management, identity authentication, resource authorization, access control and operation audit. It can effectively audit the operation and maintenance of operating systems, network equipment, security equipment, databases and other operating processes, so that the operation and maintenance audit can be upgraded from event audit to operation content audit, and the enterprise can be fully solved through pre-prevention, in-process control and post-traceability of the system platform. 1, what is SSA- Operation and Maintenance Security Audit System?
SSA operation and maintenance audit system is a new generation of operation and maintenance security audit product which integrates single sign-on, account management, identity authentication, resource authorization, access control and operation audit. IT can effectively audit the operation process of operating system, network equipment, security equipment, database, etc., so that the operation and maintenance audit can be upgraded from event audit to operation content audit. Through the pre-prevention, in-process control and post-traceability of the system platform, the operation and maintenance safety problems of enterprises can be comprehensively solved, and the IT operation and maintenance management level of enterprises can be improved.
2.SSA system function
Perfect user management mechanism and flexible authentication method.
In order to solve the problem that cross operation and maintenance can't determine the responsibility, SSA system platform puts forward a solution of "centralized account management". Centralized account management can complete the monitoring and management of the whole life cycle of accounts, and also reduce the difficulty and workload of enterprises in managing a large number of user accounts. At the same time, through unified management, we can also find the security risks existing in the use of accounts and formulate unified and standardized user account security policies. The operation and maintenance users created in the platform can support various authentication methods such as static password, dynamic password and digital certificate. Support security management functions such as password strength, password validity period, password attempt deadlock, user activation, etc. Support user grouping management; Support the import and export of user information, which is convenient for batch processing.
Fine-grained and flexible authorization
The system provides authorization function based on the combination of user, operation and maintenance protocol, target host and operation and maintenance time period (year, month, day, week and hour), which realizes fine-grained authorization function and meets the actual authorization requirements of users. Authorization can be based on: user to resource, user group to resource, user to resource group, user group to resource group.
The single sign-on function is that after the operation and maintenance personnel pass the SSA system authentication and authorization, the system automatically logs in the background resources according to the configuration strategy. Ensure the controllable correspondence between operation and maintenance personnel and background resource accounts, and realize unified password protection and management of background resource accounts. The system provides the function that operation and maintenance users can automatically log in background resources. SSA can automatically obtain the background resource account information, and automatically modify the background resource account password regularly according to the password security policy; According to the configuration of the administrator, the operation and maintenance user corresponds to the background resource account, and the unauthorized use of the account is restricted; After the operation and maintenance user is authorized by SSA, SSA can automatically log in to the background resources according to the assigned account.
real-time monitoring
Monitor sessions in operation and maintenance: information includes operation and maintenance users, operation and maintenance client address, resource address, protocol, start time, etc. Monitor the access of background resources and provide real-time monitoring function for online operation and maintenance. According to the command interaction protocol, it can monitor all kinds of operations in operation and maintenance in real time, and its information is completely consistent with what the operation and maintenance client sees.
Real-time alarm and prevent illegal operation.
In view of the potential operational risks that may exist in the operation and maintenance process, SSA implements illegal operation detection in the operation and maintenance process according to the security policy configured by users, and carries out real-time early warning and blocking of illegal operations, thus reducing operational risks and improving safety management and control capabilities. The operation of non-character protocols can be stopped in real time.
The operation of character-based protocols can be matched by user-configured command-line rules to realize alarm and blocking. Alarm actions support privilege promotion, session blocking, email alarm, SMS alarm, etc. You can record the complete conversation process of common protocols.
The SSA system platform can completely record the conversation process of SSH/FTP/Telnet/SFTP/HTTP/HTTPS/RDP/X1/VNC and other common operation and maintenance protocols to meet the needs of future audits. Audit results can be presented in two ways: video recording and log recording. Video information includes operation and maintenance user name, target resource name, client IP, client computer name, protocol name, operation and maintenance start time, end time, operation and maintenance duration and other information.
Detailed session auditing and playback
Operation and maintenance personnel can query the user name, date and content by single location and combined location based on the session. You can make a combined query according to the combination of keywords in the operation and maintenance user, operation and maintenance address, background resource address, protocol, start time, end time and operation content; According to the protocol of command string mode, it provides the display of commands and related operation results: it provides playback in the form of images, which truly, intuitively and vividly reproduces the operation process at that time; Playback provides fast playback, slow playback, drag and drop, etc., and can directly locate and play back the retrieved keywords entered by the keyboard; According to RDP, X 1 1, VNC protocol, it provides the function of positioning and playing according to time.
Rich audit report function
SSA system platform can make statistical analysis on the daily operation and dialogue of operation and maintenance personnel, the operation configuration of audit platform by administrators, and the alarm times of operation and maintenance. Reports include: daily reports, talk reports, self-audit operation reports, alarm reports, comprehensive statistical reports, and customized reports can be designed and presented according to personal needs. The above reports can be output in EXCEL format, and can be displayed in graphic ways such as broken line, column chart and pie chart.
Application release
According to the user's operation and maintenance requirements, SSA launched the first virtual desktop host secure operating system device (ESL, E-SoonLink) in the industry. With the cooperation of ESL and SSA, it can fully meet the requirements of audit, control and authorization. With the cooperation of TSA products, it can monitor and audit the operation and maintenance of database maintenance tools, pcAnywhere, DameWare and other tools. You Ke Operation and Maintenance Security Audit System (HAC) focuses on solving the operation and maintenance security problems of key it infrastructure. It can safely and effectively audit data access on Unix and Windows hosts, servers, networks and security devices, and support real-time monitoring and post-playback.
HAC makes up for the shortcomings of the traditional audit system, upgrades the operation and maintenance audit from event audit to content audit, integrates identity authentication, authorization and audit, and effectively realizes pre-prevention, in-process control and post-event audit.
Audit requirements
In response to financial fraud incidents such as Enron and WorldCom, the Accounting Reform of Listed Companies and Investor Protection Act (Sarbanes-Oxley Act) promulgated in 2002 set new standards for organizational governance, financial accounting and regulatory audit, requiring the board of directors, top management and internal and external audit to play a key role in evaluating and reporting the effectiveness and adequacy of internal control. At the same time, relevant domestic functional departments have also formulated corresponding guidelines and norms in internal control and risk management. Due to the fragility of information system, the complexity of technology and the human factors of operation, it is necessary to introduce operation and maintenance management and operation monitoring mechanism, aiming at preventing, reducing or eliminating potential risks, preventing and discovering errors or irregularities when designing security architecture, and managing IT risks by combining prevention in advance, control in the process, post supervision and correction.
It system audit is an important means to control internal risks. However, the composition of IT system is complex and there are many operators. How to audit it effectively is a major issue that has long puzzled the information technology and risk audit departments of various institutions.
solution
Due to the market demand for IT operation and maintenance audit, Jiangnan You Ke has accumulated many years of experience in operation and maintenance management and security services in the field of information security, and combined with industry best practices and compliance requirements, took the lead in launching the "Operation and Maintenance Security Audit System (HAC)" based on the hardware platform and targeting at the core assets.
Operation and maintenance management, reappearing key behavior tracks, mining operation intentions, integrating global real-time monitoring and sensitive process playback, effectively solved a key problem in information supervision.
System function
Complete identity management and authentication
In order to ensure that legitimate users can access their authorized background resources, solve the common problem of cross-operation and maintenance in IT systems and unable to locate specific personnel, and meet the requirements of "who did it" in the audit system, the system provides a complete set of identity management and authentication functions. Support static password, dynamic password, LDAP, AD domain certificate key and other authentication methods;
Flexible and fine-grained authorization
The system provides authorization function based on the combination of user, operation and maintenance protocol, target host, operation and maintenance time period (year, month, day, week and hour), session length, operation and maintenance client IP, etc. So as to realize the fine-grained authorization function and meet the actual authorization requirements of users.
Automatic login of background resources
The automatic login function of background resources is that after the operation and maintenance personnel pass HAC authentication and authorization, HAC realizes automatic login of background resources according to the configuration strategy. This function provides a controllable correspondence between operation and maintenance personnel and background resource accounts, and realizes unified password protection for background resource accounts.
real-time monitoring
Provide real-time monitoring function of online operation and maintenance. Command interaction protocol can monitor all kinds of operations in operation and maintenance in real time in the form of images, and its information is completely consistent with what the operation and maintenance client sees.
Real-time alarm and prevent illegal operation.
In view of the potential operational risks in the operation and maintenance process, HAC implements illegal operation detection in the operation and maintenance process according to the security policy configured by users, and carries out real-time early warning and blocking of illegal operations, thus reducing operational risks and improving safety management and control capabilities.
Fully record the network session process.
The system provides complete session records of network sessions such as Telnet, FTP, SSH, SFTP, RDP(Windows terminal), Xwindows, VNC, AS400, etc., which fully meets the requirements of content audit 100% information loss.
Detailed session auditing and playback
HAC provides an audit interface for video playback, which reproduces the operation process in a real, intuitive and visual way.
Complete audit report function
HAC provides various audit reports such as operation and maintenance personnel's operation, administrator's operation and violation events.
Audit function of various application operations and maintenance operations.
HAC provides audit function for the operation and maintenance of various applications, and can provide a complete operation and maintenance security audit solution. The release and review of new applications can be quickly realized according to the needs of users.
Combined with ITSM(IT Service Management)
HAC can be combined with ITSM to optimize the change management process and strengthen the risk control in change management.
System characteristics
Support the audit of encrypted operation and maintenance protocol.
It took the lead in solving the audit of encryption protocols such as SSH and RDP, and met the audit requirements of users in Unix and Windows environments.
Decentralized management mechanism
The system provides three management roles: equipment manager, operation and maintenance administrator and auditor, which technically ensures the security of system management.
Stricter audit management
The system organically combines authentication, authorization and audit, and effectively realizes pre-prevention, in-process control and post-audit
Flexible deployment and convenient operation
The system supports single-arm and serial deployment modes; Support management, configuration and audit based on B/S mode.
System safety design
Simplified kernel and optimized TCP/IP protocol stack
Processing engine based on kernel state
Dual machine hot standby
Strict security access control
Secure Access Management, Configuration and Audit Based on HTTPS
Encrypted storage of audit information
Improve the backup and recovery mechanism of audit information
System deployment
In view of the complexity of enterprise network and management architecture, HAC system provides a flexible deployment mode, which can be connected to the enterprise internal network through serial mode or single-arm mode. When deployed in serial mode, HAC has a certain degree of network control function, which can improve the security of core server access; When deploying in single-arm mode, the network topology is not changed, the installation and debugging process is simple, and it can be flexibly accessed according to the actual situation of enterprise network architecture.
Whether in serial mode or single-arm mode, the operation of accessing IT basic service resources through HAC will be recorded and stored in detail as the basic data of audit. The deployment of HAC will not have a negative impact on important indicators such as business system, data flow and bandwidth in the network, and there is no need to install any software and hardware systems on the core server or operating client.
Certification qualification
"Operation and Maintenance Security Audit System (HAC)" has obtained the sales license of special products for computer information system security issued by the Ministry of Public Security, passed the inspection of the security evaluation center of classified information system of the State Secrecy Bureau, and obtained the inspection certificate of classified information system products. Pass the national information security assessment and obtain the information technology product security assessment certificate.