CN115774651B

CN115774651B - Security monitoring method, device, equipment and chip based on microkernel operating system

Info

Publication number: CN115774651B
Application number: CN202310093203.9A
Authority: CN
Inventors: 赵东艳; 王慧; 王喆; 曾林; 李德建; 顿中强
Original assignee: Beijing Smartchip Microelectronics Technology Co Ltd
Current assignee: Beijing Smartchip Microelectronics Technology Co Ltd
Priority date: 2023-02-10
Filing date: 2023-02-10
Publication date: 2023-06-09
Anticipated expiration: 2043-02-10
Also published as: CN115774651A

Abstract

The embodiment of the disclosure discloses a security monitoring method, a device, equipment and a chip based on a microkernel operating system, wherein the method comprises the following steps: responding to a call request of an execution object of a user space to a system call interface in a microkernel operating system, and matching a system call event type corresponding to the call request with pre-configured audit configuration information in the kernel space; when the system call event type is matched with the audit configuration information, recording entry audit information when the system call interface enters kernel space operation in an audit context structure of an execution object, and recording exit audit information when the system call interface exits in the audit context structure of the execution object; and outputting the entry audit information and the exit audit information in the audit context structure from the kernel space to an audit buffer area of the user space when exiting the system call interface. According to the technical scheme, the operating system can be safely monitored on the premise that the kernel is simplified as much as possible.

Description

Security monitoring method, device, equipment and chip based on microkernel operating system

Technical Field

The disclosure relates to the technical field of chips, and in particular relates to a security monitoring method, device and equipment based on a microkernel operating system and a chip.

Background

The audit is an analysis technology for postmortem confirmation of violation of the security rules, and the security audit provides timely warning information for an administrator when a user violates the security rules, so that the functions of tracking, examining, counting, reporting and the like of system information are realized. Some open source operating systems have already implemented audit functions.

The Linux provides an audit system for recording system security events, the audit system comprises a user space audit system and a kernel space audit system, the user space audit system consists of audit programs of some user spaces and is used for starting kernel audit functions, setting audit rules and audit system states, receiving audit messages sent by the kernel audit system and writing log files, and retrieving the audit messages and generating audit summary reports. The kernel audit system is used for generating and filtering various audit messages of the kernel.

The Linux security audit system is divided into a syslog part and an audio part. The audio part is mainly used for recording security information, including reading and writing of files, modification of authorities and the like, and the syslog part is mainly used for recording various information in a system, such as hardware alarms, software logs and the like. The data of the log mainly comprises three types: kernel and system log, user log, program log.

syslog belongs to an application layer service and is specially used for logging, so that each program can be understood as a subsystem, and the syslog can store the logs in different files according to the types and the priorities of the logs. In addition, syslog has two processes, and is specially responsible for recording logs generated by other settings of a non-kernel, and klogd is specially responsible for the logs generated by the kernel, and the information is read out by the system call syslog and recorded in a log file.

In addition to Linux, there is a SNARE (System iNtrusion and Reporting Environment) audit system, which is an open source security audit and event log software. SNARE systems are mainly divided into three modules: a kernel dynamic loading module audiomodule; an audit monitoring program audiotd running in a user space; configuration of graphic sections and reporting tool snare. The system separates the audit from the kernel to form a module independent of the kernel. The system call to be audited is rewritten, the collection of audit information is realized in the new system call, the audit record is put into a buffer pool, and after the module is loaded, the function pointer in the system call table points to the new system call function to enable the new system call with the audit function to replace the original system call.

In addition, WINDOWS NT auditing systems are capable of detecting and recording events that create, access, or delete system resources in connection with security, and recording users who perform these activities. The object manager can generate an audit event according to an audit strategy in the audit process, which is a passive process, and can also actively generate the audit event by utilizing an audit function in a user program.

The Linux operating system is used as a macro kernel architecture, main core components of the system are all realized in a kernel, and partial modules of the security audit system are also realized in the kernel.

The audit events of the SNARE system are less and not comprehensive, and the mode of separating the audit system by adopting the system call is based on a system call table, so that when the system call table can not be referenced in the kernel module, the mode can not be realized.

Therefore, aiming at the microkernel operating system, a security audit monitoring system needs to be designed at a user layer, and the security and reliability of the operating system are maintained on the basis of ensuring isolation.

Disclosure of Invention

The embodiment of the disclosure provides a security monitoring method, device, equipment and chip based on a microkernel operating system.

In a first aspect, an embodiment of the present disclosure provides a security monitoring method based on a microkernel operating system, where the method includes:

responding to a call request of an execution object of a user space to a system call interface in a microkernel operating system, and matching a system call event type corresponding to the call request with pre-configured audit configuration information in the kernel space;

when the system call event type is matched with the audit configuration information, recording entry audit information when the system call interface enters kernel space operation in an audit context structure of the execution object, and recording exit audit information when the system call interface exits in the audit context structure of the execution object;

and outputting the entry audit information and the exit audit information in the audit context structure from the kernel space to an audit buffer of the user space when the system call interface is exited.

Further, the method further comprises:

and when the system call event type corresponding to the call request is not matched with the audit configuration information, writing first kernel-state log information generated by the system call interface in the kernel space execution process into a log buffer area of a user space.

Further, the method further comprises:

writing user state log information generated by a user space into the log buffer area; and/or the number of the groups of groups,

writing second kernel-state log information generated by the kernel space into the log buffer area; the second kernel-state log information is generated in the kernel space by a non-system call interface.

Further, the method further comprises:

reading log information in the log buffer area in a user space;

and calling a file system interface to output the log information in the log buffer area to a control console or a log file.

Further, the method further comprises:

acquiring user space audit information generated by a user space;

matching the user space audit information with the audit configuration information;

and when the user space audit information is matched with the audit configuration information, writing the user space audit information into the audit buffer area.

Further, the method further comprises:

receiving user configuration information input by a user in a user space through a preset interface;

updating the audit configuration information stored in a user space based on the user configuration information.

Further, the method further comprises:

receiving a request for checking the log file by a user in a user space;

and outputting the log file to a user based on the viewing request.

Further, the method further comprises:

reading audit information in the audit buffer area in a user space;

and calling a file system interface to output the audit information in the audit buffer area to an audit file.

Further, the method further comprises:

receiving a request for checking the audit file in a user space by a user;

and outputting an audit report to a user based on the audit information in the audit file.

Further, the method further comprises:

setting an audit buffer chain table in a user space; the audit buffer list is used for storing pointers pointing to the audit buffer;

invoking a file system interface to output the audit information in the audit buffer area to an audit file, including:

after the number of pointers in the audit buffer list exceeds a preset threshold, calling a file system interface to output audit information in the audit buffer to the audit file in a user space based on the pointers in the audit buffer list;

And deleting the corresponding pointer in the audit buffer list.

Further, the method further comprises:

establishing an idle audit buffer area;

storing a pointer pointing to the idle audit buffer in an idle audit buffer list;

outputting the entry audit information and the exit audit information in the audit context structure from the kernel space to an audit buffer of a user space when exiting the system call interface, comprising:

requesting an idle audit buffer from the idle audit buffer list;

and writing audit information in the audit context structure into the idle audit buffer area.

Further, the method further comprises:

reallocating the audit buffer when no audit buffer is idle in the idle audit buffer list;

and writing the audit information in the audit context structure into the redistributed audit buffer area.

Further, the method further comprises:

after the content in the audit file exceeds the preset storage capacity, a new audit file is established;

and deleting one or more audit files which are established first according to the time sequence after the number of the audit files exceeds the preset number.

In a second aspect, in an embodiment of the present disclosure, a security monitoring device based on a microkernel operating system is provided, where the security monitoring device includes:

the response module is configured to respond to a call request of an execution object of the user space to a system call interface in the microkernel operating system, and match a system call event type corresponding to the call request with preset audit configuration information in the kernel space;

the recording module is configured to record entry audit information when the system call interface enters kernel space operation in an audit context structure of the execution object when the system call event type is matched with the audit configuration information, and record exit audit information when the system call interface exits in the audit context structure of the execution object;

and the first output module is configured to output the entry audit information and the exit audit information in the audit context structure from the kernel space to an audit buffer of a user space when the system call interface is exited.

Further, the apparatus further comprises:

and the first writing module is configured to write first kernel-state log information generated by the system call interface in the kernel space execution process into a log buffer of the user space when the system call event type corresponding to the call request is not matched with the audit configuration information.

Further, the apparatus further comprises:

the second writing module is configured to write user state log information generated by the user space into the log buffer area; and/or the number of the groups of groups,

the third writing module is configured to write second kernel-state log information generated by the kernel space into the log buffer; the second kernel-state log information is generated in the kernel space by a non-system call interface.

Further, the apparatus further comprises:

a first reading module configured to read log information in the log buffer in a user space;

and the first calling module is configured to call a file system interface to output the log information in the log buffer to a console or a log file.

Further, the apparatus further comprises:

the acquisition module is configured to acquire user space audit information generated by a user space;

the matching module is configured to match the user space audit information with the audit configuration information;

and the fourth writing module is configured to write the user space audit information into the audit buffer area when the user space audit information is matched with the audit configuration information.

Further, the apparatus further comprises:

the first receiving module is configured to receive user configuration information input by a user in a user space through a preset interface;

and the updating module is configured to update the audit configuration information stored in a user space based on the user configuration information.

Further, the apparatus further comprises:

the second receiving module is configured to receive a request for viewing the log file by a user in a user space;

and a second output module configured to output the log file to a user based on the view request.

Further, the apparatus further comprises:

the second reading module is configured to read audit information in the audit buffer area in a user space;

and the second calling module is configured to call a file system interface to output the audit information in the audit cache region to an audit file.

Further, the apparatus further comprises:

the third receiving module is configured to receive a viewing request of a user on the audit file in a user space;

and the third output module is configured to output an audit report to a user based on the audit information in the audit file.

Further, the apparatus further comprises:

The setting module is configured to set an audit buffer list in the user space; the audit buffer list is used for storing pointers pointing to the audit buffer;

the second calling module comprises:

the calling sub-module is configured to call a file system interface to output audit information in the audit buffer to the audit file in a user space based on the pointers in the audit buffer chain table after the number of the pointers in the audit buffer chain table exceeds a preset threshold;

and the deleting submodule is configured to delete the corresponding pointer in the audit buffer list.

Further, the apparatus further comprises:

the first establishing module is configured to establish an idle audit buffer area;

a storage module configured to store a pointer to the free audit buffer in a free audit buffer linked list;

the first output module includes:

a request sub-module configured to request an idle audit buffer from the idle audit buffer linked list;

and the writing submodule is configured to write audit information in the audit context structure into the idle audit buffer.

Further, the apparatus further comprises:

The allocation module is configured to reallocate the audit buffer when no audit buffer is idle in the idle audit buffer list;

and a fifth writing module configured to write audit information in the audit context structure into the reassigned audit buffer.

Further, the apparatus further comprises:

the second building module is configured to build a new audit file after the content in the audit file exceeds the preset storage capacity;

and the deleting module is configured to delete one or more audit files which are established first according to time sequence after the number of the audit files exceeds the preset number.

The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

In one possible design, the structure of the above apparatus includes a memory for storing one or more computer instructions for supporting the above apparatus to perform the corresponding method, and a processor configured to execute the computer instructions stored in the memory. The apparatus may further comprise a communication interface for the apparatus to communicate with other devices or a communication network.

In a third aspect, an embodiment of the present disclosure provides an electronic device, including a memory, a processor, and a computer program stored on the memory, where the processor executes the computer program to implement the method of any one of the above aspects.

In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium storing computer instructions for use by any one of the above-described apparatuses, which when executed by a processor, are configured to implement the method of any one of the above-described aspects.

In a fifth aspect, embodiments of the present disclosure provide a computer program product comprising computer instructions for implementing the method of any one of the above aspects when executed by a processor.

In a sixth aspect, embodiments of the present disclosure provide a chip for executing instructions to implement the method of any one of the above aspects.

The technical scheme provided by the embodiment of the disclosure can comprise the following beneficial effects:

the embodiment of the disclosure designs and realizes a security monitoring scheme based on the microkernel operating system, and ensures the security of the operating system by recording and analyzing the runtime information of the operating system. In the prior art, a perfect security audit scheme is designed aiming at a microkernel operating system, but the embodiment of the disclosure designs and realizes a security monitoring scheme which accords with the security standard of the operating system and is based on the microkernel operating system, and the security monitoring scheme is utilized to record the state and information of the operating system in real time during operation. According to the embodiment of the disclosure, the configuration audit rule service is provided in the user space, the authority user configures events, formats and the like which need to be audited according to the requirements, the related events configured by the authority user are only conditionally recorded in the running process of the kernel system, and the security monitoring is performed on the operating system on the premise of maximizing the kernel as much as possible.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

Other features, objects and advantages of the present disclosure will become more apparent from the following detailed description of non-limiting embodiments, taken in conjunction with the accompanying drawings. In the drawings.

FIG. 1 illustrates a flow chart of a microkernel operating system based security monitoring method in accordance with an embodiment of the present disclosure.

FIG. 2 illustrates a schematic diagram of an implementation of a log buffer and/or audit buffer according to an embodiment of the present disclosure.

3 (a) -3 (c) illustrate one implementation schematic of a log system and audit system included in a security monitoring system of a microkernel operating system in accordance with an embodiment of the present disclosure.

FIG. 4 illustrates a block diagram of a security monitoring device based on a microkernel operating system in accordance with an embodiment of the present disclosure.

Fig. 5 shows a block diagram of an electronic device according to an embodiment of the present disclosure.

FIG. 6 is a schematic diagram of a computer system suitable for use in implementing a microkernel operating system-based security monitoring method in accordance with an embodiment of the present disclosure.

Detailed Description

Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. In addition, for the sake of clarity, portions irrelevant to description of the exemplary embodiments are omitted in the drawings.

In this disclosure, it should be understood that terms such as "comprises" or "comprising," etc., are intended to indicate the presence of features, numbers, steps, acts, components, portions, or combinations thereof disclosed in this specification, and do not preclude the presence or addition of one or more other features, numbers, steps, acts, components, portions, or combinations thereof.

In addition, it should be noted that, without conflict, the embodiments of the present disclosure and features of the embodiments may be combined with each other. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.

Details of embodiments of the present disclosure are described in detail below with reference to specific embodiments.

FIG. 1 illustrates a flow chart of a microkernel operating system based security monitoring method in accordance with an embodiment of the present disclosure. As shown in fig. 1, the security monitoring method based on the microkernel operating system includes the following steps:

in step S101, in response to a call request of an execution object of a user space to a system call interface in a microkernel operating system, matching a system call event type corresponding to the call request with preset audit configuration information in the kernel space;

in step S102, when the system call event type is matched with the audit configuration information, recording entry audit information when the system call interface enters kernel space operation in an audit context structure of the execution object, and recording exit audit information when the system call interface exits in the audit context structure of the execution object;

In step S103, the entry audit information and the exit audit information in the audit context structure are output from the kernel space to an audit buffer of the user space when the system call interface is exited.

In this embodiment, the kernel portion is simplified to the greatest extent for microkernel operating systems. The kernel part only comprises the most basic IPC (inter-process communication) mechanism, address space management and scheduling mechanism and the like for realizing the basic functions of operating system services, and the communication among devices, file systems, application programs and the like are realized by a user-mode service program in a service level. When a common application program needs related services of an operating system, the common application program needs to initiate inter-process communication to corresponding service programs, the service programs perform related operations, and if necessary, the service programs can also sink into a kernel state to run through a system call interface provided by an execution kernel so as to complete some basic operations, and the result is fed back to the application program through inter-process communication.

According to the embodiment of the disclosure, firstly, an application scene is considered as a micro-kernel operating system, a safety monitoring system is added on a micro-kernel operating system architecture, a kernel part is simplified as far as possible, and functions of the safety monitoring system are realized as a user space service program.

The security monitoring system in the embodiment of the disclosure at least comprises an audit system. The audit system is used for security tracking, and the design of the audit system aims at simplifying the kernel as much as possible, and relevant audit services are designed in the user space.

The audit event is the minimum unit of system audit user action, and the collection of audit event refers to the establishment of audit event under a certain security level audit standard. From the perspective of the subject, the system needs to record all activities performed by the user, and from the perspective of the object, the system needs to record all access activities of an object.

Audit events can be largely divided into system call class events and user trusted events, for which embodiments of the present disclosure have been designed as follows:

the main body of the system call class event is a thread. A system call class event may be understood as a call event of an execution object of a user space, such as a thread or the like, to a system call interface provided by a microkernel operating system. Therefore, in the embodiment of the disclosure, after detecting a system call event, that is, detecting a call request of an execution object of a user space to a system call interface, the security monitoring system may collect audit information for an audit system designed by the system call event and output the audit information to a log file of the user space, so that a subsequent relevant authority user can audit the use of the microkernel operating system based on the log file.

According to the embodiment of the disclosure, a management tool for configuring audit configuration information can be provided for related authority users in a user space, the management tool can provide an audit information configuration interface or a command input interface, and the related authority users can configure corresponding audit rules, output formats of audit information and the like through the audit information configuration interface or the command input mode. Audit configuration information for the relevant entitlement user configuration may be stored in a corresponding storage file for subsequent reading by the security monitoring system.

In the embodiment of the disclosure, the security monitoring system can be realized through programming, and after the security monitoring system operates, one or more detection threads can be started in a user space to detect a system call class event. After detecting a system call event, the one or more detection threads in the security monitoring system can match the type of the system call event with rules set in audit configuration information in a storage file, if the currently detected system call event is an event related to content which is preset by a user with related authority and needs to be audited, that is, when the type of the currently called system call event is matched with preset audit configuration information, inlet audit information when the currently called system call interface enters kernel mode operation is written into an audit context structure corresponding to an execution object, and outlet audit information when the system call interface is executed and exits is also written into the audit context structure corresponding to the execution object.

The audit context structure can be programmed in the source code of the execution object, and after the safety monitoring system is operated, the execution object is established when being established, and when the system call interface exits, one or more information output threads started after the safety monitoring system is operated output corresponding entry audit information and exit audit information in the context structure from the kernel space to an audit buffer area of the user space. The audit context structure may then be cleared.

In some embodiments, the audit context structure may be as follows:

struct audit_context{

enum audio_state;// audit state

unsigned int serial;// recorded serial number

struct timespec ctime time of entry of the/System call

int major;// System call number

unsigned long argv [4];// System call parameter

Long return_code;// System Call return code

int audiotable;// flag of whether it has been written to audit buffer

...

}。

The entry audit information and the exit audit information may be based on an audit context structure, that is, the audit context structure defines which entry audit information and exit audit information respectively include. As shown in the audit context structure above, the ingress audit information may include, but is not limited to, audit status, sequence number, system call entry time, system call number, system call parameters, etc. in the audit context structure; the export audit information may include, but is not limited to, a system call return code and a flag of whether content in the audit context structure is exported to an audit buffer, etc. In some embodiments, an audit buffer of the user space may be created at the time of security monitoring system initialization and read and write operations are performed on the audit buffer by a read and write thread initiated at the time of security monitoring system initialization.

In an alternative implementation of this embodiment, the method further includes the steps of:

In this optional implementation manner, if the system call event type corresponding to the currently called system call interface is not matched with the audit configuration information preferably configured by the authority user, it is indicated that the content related to the current system call is not the audit information concerned by the authority user, so that the related audit information may not be generated. However, for subsequent viewing needs, the relevant log information may be written to the log buffer of the user space. In some embodiments, the associated log information may be written to a log buffer of the user space by a log output thread that is started after the security monitoring system is run.

That is, when the security monitoring system is initialized, an audit buffer area and a log buffer area can be established in the user space, and for the system call class event in the microkernel operating system, if the authority user does not configure audit information related to the current system call class event in advance, the log output thread can also write the first kernel state log information related to the current system call class event into the log buffer area. It should be noted that, the related first kernel-state log information may include, but is not limited to, a start time, an end time of a system call event, a modification operation to the microkernel operating system during the running process, and the like. A log output thread can be specially arranged in the microkernel operating system, and the related log of the program running in the kernel space is specially written into a log buffer area in the user space.

In this alternative implementation, user state log information generated in the user space may also be recorded in the log buffer, and second kernel state log information generated in the kernel space may also be written into the log buffer. In this embodiment, in order to distinguish between the log information generated by the system call event and the log information generated under other conditions in the kernel space, the log information generated by the system call event is referred to as first kernel-state log information, and the log information generated under other conditions is referred to as second kernel-state log information. In some embodiments, the first kernel-state log information may be written to the log buffer by a log output thread established upon initialization of the security monitoring system. It is understood that the first kernel-mode log information and the second kernel-mode log information may be processed by the same log output thread or may be processed by different log output threads.

In some embodiments, user state log information for a user space may include, but is not limited to, an application software running log running in the user space, a record of modifications to configuration information in the user space, and the like; the first kernel-mode log information or the second kernel-mode log information may include, but is not limited to, running records of a microkernel operating system, alarm prompt records in the microkernel operating system, operation log records of a user thread on the microkernel operating system, behavior records of the user thread in the microkernel operating system, and the like.

The first kernel-state log information and the second kernel-state log information generated by the kernel space may be output from the kernel space into a log buffer of the user space by a specially configured log output thread. The log information generated by the user space may be written into the log buffer of the user space by the corresponding log output thread. In some embodiments, the corresponding log output thread may be started after the security monitoring system is run.

reading log information in the log buffer area in a user space;

In this alternative implementation, the log information is recorded in a log buffer area established in the user space, the security monitoring system may start a log reading thread after running, and when the log buffer area is full or regular, the log information in the log buffer area may be written into the log file by the log reading thread. The process of writing the log file may be performed in user space, and the log read thread may write log information from the log buffer to the log file in user space by invoking a file system interface. In other embodiments, the log information in the log buffer may also be output directly to the console by the log read thread by invoking the file system interface, a storage device stored on the console, and/or a display displayed on the console for viewing by an associated person.

acquiring user space audit information generated by a user space;

In the optional implementation manner, the user space can also generate some information which the authority user wants to audit, the authority user can also configure audit configuration information in advance aiming at the user space, the event type and/or the information type which wants to audit is configured in the audit configuration information, after the user space generates the user space audit information, an audit matching thread started after the safety monitoring system operates is matched with the audit configuration information, if the audit matching thread is matched with the audit configuration information, the audit matching thread is written into an audit buffer area, if the audit matching thread is not matched with the audit configuration information, the audit matching thread is not written into the audit buffer area, but the audit matching thread is written into a log buffer area.

In this alternative implementation, the authorized user may input user configuration information through an interface preset in the user space, where the user configuration information may be used to update audit configuration information stored in the user space in advance. In this way, the authorized user can pre-configure audit configuration information in the user space, and can further carry out editing operations such as modification and the like on the audit configuration information. After the security monitoring system operates, an interface for a user to input user configuration information can be provided, through which the security monitoring system can receive the user configuration information input by the user and update the received user configuration information into a storage file of the configuration information.

receiving a request for checking the log file by a user in a user space;

and outputting the log file to a user based on the viewing request.

In this alternative implementation manner, the log file may be stored in the user space, and the user may request to view the log file in the user space through a viewing interface provided by the security monitoring system, and after the viewing interface receives the request of the user, the log file may be output to the user by calling the file system interface, for example, the log file may be opened and displayed on the display device of the user.

reading audit information in the audit buffer area in a user space;

In the optional implementation mode, audit information of the user space and the kernel space is recorded in an audit buffer area established in the user space, the security monitoring system can start an audit reading thread after operation, and the audit reading thread can write the audit information in the audit buffer area into an audit file when the audit buffer area is full or at regular intervals. The process of writing the audit file can be performed in the user space, and the audit reading thread writes audit information into the audit file from the audit buffer area by calling a file system interface in the user space. In other embodiments, audit information in the audit buffer may also be output directly to the console by the audit read thread by invoking the file system interface, a storage device stored on the console, and/or a display displayed on the console for viewing by an associated person.

receiving a request for checking the audit file in a user space by a user;

In the optional implementation mode, after the audit information is written into the audit file, when the authority user views the audit file, the audit information can be generated into an audit report form based on a preconfigured audit rule and output to the authority user. The security monitoring system can also provide a viewing interface for viewing the audit file for the user, and the viewing interface can output an audit report to the user under the condition that the current user is authorized after receiving the request of the user.

And deleting the corresponding pointer in the audit buffer list.

In this alternative implementation, during the initialization of the security monitoring system, an audit buffer list may be created in user space, where pointers to audit buffers are stored. That is, multiple audit buffers may be created in user space and pointers for each audit buffer may be stored in an audit buffer linked list. The number of pointers of the audit buffer which can be stored at most in the audit buffer chain table can be preset, and the maximum number is represented by a preset threshold value. After the number of pointers in the audit buffer list exceeds the preset threshold, a process for writing the audit information in the audit buffer into the audit file can be started, the process writes the audit information in the audit buffer pointed by the pointers stored in the audit buffer list into the audit file, and the pointers of the audit buffer where the audit information is successfully written into the audit file can be deleted from the audit buffer list.

In an alternative implementation of this embodiment, the audit buffer and/or log buffer of the user space employs a double buffer mode.

In this optional implementation manner, in order to reduce the number of system calls and thus reduce the time consumed by the operating system in switching between the user state and the core state, in the embodiment of the present disclosure, an audit buffer and a log buffer are maintained in the user space, log information and audit information are written into the log buffer and the audit buffer respectively according to a uniform format, and a log reading thread and an audit reading thread in the user space are respectively responsible for monitoring and reading the information in the log buffer and the audit buffer, and writing into a log file and an audit file. And the log output thread writes the log information of the kernel into the log buffer zone of the user space, and the audit output thread writes the audit information of the kernel state into the audit buffer zone of the user space.

The buffer area is mainly used for solving the problems of generation of log information or audit information and unmatched reading speed, and besides the problem of unmatched reading speed, in the scene of the embodiment of the disclosure, the operation of reading the buffer area and writing the buffer area is often accompanied with the safety problem brought by a read-write thread. To this end, embodiments of the present disclosure design log buffers and audit buffers for user space using a double buffer mode.

The array is of a one-dimensional continuous linear structure on physical storage, frequent memory application and release can be avoided through one-time allocation, and the access efficiency is high, so that the embodiment of the invention adopts double buffers in an array form.

As shown in FIG. 2, the audit buffer is implemented as two buffers Buff_1 and Buff_2, buff_1 is used for storing audit information by a current write thread, namely an audit output thread, when the audit buffer Buff_1 is full, a replacement operation is triggered to replace the content in the audit buffer Buff_1 into the audit buffer Buff_2, and then a read thread, namely an audit read thread, reads data from the audit buffer Buff_2 and writes the data into an audit file. Similarly, the log buffer area can be also realized as two buffer areas Buff_1 and Buff_2, buff_1 is used for storing log information by the current writing thread, namely the log output thread, when the audit buffer area Buff_1 is full, the exchange operation is triggered to exchange the content in the log buffer area Buff_1 into the log buffer area Buff_2, and then the reading thread, namely the log reading thread, reads data from the log buffer area Buff_2 and writes the data into the log file.

In an optional implementation manner of this embodiment, in the double-buffer mode of the audit buffer, after the first audit buffer where audit information is currently written is full, addresses of the first audit buffer and the second audit buffer are exchanged, so that a buffer pointer of the audit output thread in a kernel mode for writing audit information is switched from the address of the first audit buffer to the address of the second audit buffer in the user space, and a buffer pointer of the audit read thread for reading audit information is directed to the address of the first audit buffer.

In this alternative implementation, when exchanging two audit buffers, because the two audit buffers need to be locked respectively, the copy algorithm of the buffer contents can result in longer locking time, which affects the overall performance. Therefore, in the embodiment of the disclosure, when the buffer exchange operation is performed, the addresses of the two audit buffers can be directly exchanged, the pointer pointing to the audit buffer Buff_1 when the audit output thread performs the write operation points to the audit buffer Buff_2, the pointer pointing to the Buff_2 when the audit read thread performs the read operation points to the Buff_1, and then the subsequent read-write operation is performed, so that the purpose of exchanging the buffers is achieved, and only the pointer is exchanged when the operation in the critical section, so that the execution speed is faster. The design of the double buffer area mode only needs to ensure that one buffer area can write data and one buffer area can read data, so that when the audit output thread in the kernel mode writes into the buffer area, the execution of the audit output thread in the kernel mode cannot be blocked due to the low execution speed of the user mode, and the processing efficiency of the kernel mode is further improved.

In the embodiment of the disclosure, a large buffer area is not required to be established, but a double buffer area in an array form is set, the buffer areas used for read-write operation are separated and designed into two buffer areas, and thread blocking caused by longer locking time of the same buffer area can be avoided. Meanwhile, the buffer area in the array form is allocated once, so that frequent memory allocation and release can be avoided. In an alternative implementation manner of this embodiment, in the double buffer mode of the log buffer, after the first log buffer that writes log information is full, the addresses of the first log buffer and the second log buffer are exchanged, so that the buffer pointer of the log output thread in kernel mode switches from the address of the first log buffer to the address pointing to the second log buffer in user space, and the buffer pointer of the log read thread that reads log information points to the address of the first log buffer.

In this alternative implementation, when exchanging two log buffers, since the two log buffers need to be locked respectively, the copy algorithm of the buffer contents will result in a longer locking time, which affects the overall performance. Therefore, in the embodiment of the disclosure, when performing buffer exchange operation, addresses of two log buffers are directly exchanged, a pointer pointing to a log buffer Buff_1 when performing write operation of a log output thread points to a log buffer Buff_2, a pointer pointing to a Buff_2 when performing read operation of a log read thread points to Buff_1, and then subsequent read-write operation is performed, so that the purpose of exchanging buffers is achieved, and only the pointer is exchanged during operation in a critical area, so that the execution speed is faster. The design of the double buffer area mode only needs to ensure that one buffer area can write data and one buffer area can read data, so that when the log output thread in the kernel mode writes into the buffer area, the execution of the log output thread in the kernel mode cannot be blocked due to the low execution speed of the user mode, and the processing efficiency of the kernel mode is further improved.

In addition, a semaphore mechanism can be adopted to solve the problem of synchronous mutual exclusion generated by the multithread access buffer, the thread mutual exclusion is realized for the read operation and the write operation of the same buffer, and after the buffer finishes the exchange operation, the read thread is informed to perform the read operation of the buffer.

establishing an idle audit buffer area;

requesting an idle audit buffer from the idle audit buffer list;

In this alternative implementation, the security monitoring system may pre-establish a plurality of idle audit buffers during initialization, and store pointers of the idle audit buffers in the idle audit buffer list. When the system call interface of the kernel space exits, and audit information in an audit context structure of an execution object for calling the system call interface is required to be output from the kernel space to the user space, an audit output thread can request an idle audit buffer from the idle audit buffer linked list, and audit information in the audit context structure is written into the idle audit buffer.

It should be noted that, after the pointer of the audit buffer zone written with the audit information is taken out from the idle audit buffer zone linked list by the corresponding audit output thread, the pointer is written into the non-idle audit buffer zone linked list, and the execution pointing to the audit buffer zone in the idle audit buffer zone linked list can be deleted.

In this alternative implementation manner, the audit output thread may write the created pointer of the idle audit buffer into the audit buffer list, and when the audit buffer is requested by the execution object in the kernel space, the audit output thread may also find the idle audit buffer from the audit buffer list, and write the audit information in the audit context structure of the execution object into the idle audit buffer.

If the audit buffer list has no pointer pointing to the idle audit buffer, the audit output thread can allocate a new audit buffer for the current execution object again, and the corresponding audit output thread writes the audit information in the audit context structure of the execution object into the new audit buffer.

In this alternative implementation, the audit information may be written to the audit file by the audit read thread periodically or after the audit buffer is full. The audit files are stored in the user space, the storage capacity of the audit files can be preset when the security monitoring system is initialized, after the size of audit information stored in one audit file exceeds the preset storage capacity, a file establishment thread started after the security monitoring system operates can establish a new audit file, and subsequent audit information can be written into the new audit file.

In some embodiments, when the number of audit files is excessive, for example, more than a preset number, the file deletion thread started after the operation of the security monitoring system deletes one or more audit files which are established first according to the time sequence established by the audit files, and keeps a plurality of audit files which are established more recently.

3 (a) -3 (c) illustrate one implementation schematic of a log system and audit system included in a security monitoring system of a microkernel operating system in accordance with an embodiment of the present disclosure. As shown in fig. 3 (a), the log system may maintain a log buffer in the user space, log information is written into the log buffer according to a uniform format, and a klogd thread in the log system may be responsible for monitoring and obtaining the log information of the log buffer and writing the log information into a log file. In kernel space, the log output thread printk may write a message of kernel space into the log buffer.

The log information may be recorded according to an operating system security technical standard, where the standard defines that the events to be recorded in the log part include: running records of the system, alarm prompt records, operation log records, user behavior records, application software running logs, configuration information modification records and the like.

As shown in fig. 3 (b), the log protocol format adopted in the embodiment of the present disclosure is a syslog log protocol standard, and the first PRI is a priority, including program module facility of the log and severity level server of the message. The priority is usually started by the character "<" followed by a 1-3 digit number and then ending with ">", where the part of the number is calculated by the program module of the log and the severity level number of the message. In some embodiments, the value of the priority may be equal to the program module code multiplied by 8, plus the severity level number.

The second part HEADER is the message HEADER of the log, which consists of the timestamp, the ip address of the device or the hostname. The timestamp immediately follows ">", with a space between the timestamp and the device ip address or hostname.

The third part MSG is log information, which is a part requiring log recording, i.e. log description information, and is generally divided into two fields. One of the fields is used for representing the name of a program or a thread generated by the message, and the set length is within 32 characters; another field is used to record detailed description information. The two fields are divided by "[", ":", or space.

As shown in fig. 3 (c), the auditing system reads the auditing information in the auditing buffer area by the audiotd thread in the user space, and writes the auditing information into the auditing file audiot. The auditing system in this embodiment is described below in terms of audit events, audit information filtering, audit buffer settings, audit commands.

1. Auditing events

The audit event is the minimum unit of system audit user action, and the collection of audit event refers to the establishment of audit event under a certain security level audit standard. From the perspective of the subject, the system needs to record all activities performed by the user, and from the perspective of the object, the system needs to record all access activities of an object. Audit events can be largely divided into system call class events and user trusted events, for which the present disclosure makes the following designs:

The system calls the event, the main body can be a thread, an audit context structure pointer audio_context is added in a thread structure, and audit information of the thread context is recorded. When a thread goes from entering a system call to exiting the system call, audit context structures are used to record data of the system call entry and exit, such as parameters, call numbers, success/failure identifications, return results of the system call, etc.

In some embodiments, the auditing system adds auditing functions (an entry function audio_syscalall_entry and an exit function audio_syscalall_exit) at the entry and exit of the system call interface, and writes auditing information when the system call interface enters and exits into the auditing context structure, and writes auditing information when the system call exits into the buffer. After the audit information is written out, the audit context can be emptied.

If the audit context structure is created and the corresponding state is set when the thread is created, filling of the audit context is carried out at the entrance of the system call interface, entrance audit information when the system call interface enters is recorded into the audit context structure of the thread by an entrance function audio_syscall_entry, and exit audit information is written into the audit context structure by an exit function audio_syscall_exit. The information in the audit context structure is ultimately written to the audit buffer by the audit output thread.

2. Filtering audit messages.

The authority user can set the types of events to be filtered through an audioctl command designed in the auditing system, namely, the auditing configuration information is configured, and event rules (mainly type information) which are not wanted to be checked are put into a rule linked list. The auditing system may provide a filter function audiofilter type (int type), the parameter being an event type, for different types of rule linked lists, the auditing system will output relevant auditing information only when the filter check passes and returns true. That is, when the current system call event type is matched with the audit configuration information, the audit system outputs the related audit information.

3. Buffer zone arrangement

The auditing system sets an auditing buffer area in the user space, and designs an auditing buffer area linked list for storing pointers of the auditing buffer area filled with auditing information. When the number of the buffer areas in the audit buffer area linked list exceeds the upper limit, the current thread can wait for the related thread of the user space to write the audit information into the audit log file until the number of the buffer areas is smaller than the upper limit value.

At the same time, an idle audit buffer chain table can be designed for storing idle audit buffers. When applying for audit buffer area, the system checks if the idle audit buffer area chain table has idle audit buffer area, if so, returns to the applicant, if not, allocates a new audit buffer area. And when the audit buffer area of the application is released, whether the idle buffer area linked list exceeds the upper limit or not can be checked, if not, the audit buffer area to be released is put into the idle buffer area linked list, and otherwise, the audit buffer area to be released is directly released.

4. User management tool

In some embodiments, the user may initiate the three management tools by invoking corresponding commands, such as auditctl, ausearch, aureport, etc., i.e., configuring and operating the audit system with the commands. The Ausearch command queries the background log based on different search rules; the aureport command is used to generate summary reports of the audit log; the audioctl command is used for setting audit rules, and can read rules in the configuration file and add or delete rules when the system is started.

And the user thread audiotd in the auditing system writes the auditing information conforming to the rules and formats into the auditing file from the auditing buffer.

In order to reduce the consumption of storage space, the method and the device realize the reduction of space overhead in the aspects of log generation, recording, cleaning and the like. The method is specifically characterized in that:

1. setting buffer area

The log system and the audit system are respectively provided with a log buffer area and an audit buffer area, and an audit buffer area linked list is arranged, so that the problem of unmatched speed of log data generation and file writing can be solved by introducing the buffer areas.

2. Reducing the frequency of recording the same event

Combining multiple identical events in one log entry while recording the number of events in a counter fashion reduces the overhead of logging when more events are combined in one log entry.

3. Screening and filtering audit events

And providing a tool for configuring audit configuration information in a user space, wherein an authorized user can configure events, formats and the like needing to be audited according to actual demands, and an audit system provides a related function so as to perform conditional recording on related events which are actually required to be audited by the user.

4. Writing or periodically deleting files

When the log file or audit file reaches a limit size, a new log file or audit is newly created and the new log content or audit is written into the new file; when the number of log files or audit files reaches a set threshold, deleting part of the files according to the sequence of file creation.

According to the embodiment of the disclosure, the safety monitoring system based on the microkernel operating system is designed and realized, and the runtime information of the operating system is recorded and analyzed to ensure the safety of the operating system. At present, few microkernel operating systems are used for relatively perfect design of a security audit module, and the security audit module is designed and realized by the security monitoring system which accords with the security standard of the operating system and is based on the microkernel operating system, so that the running state and information of the operating system can be recorded in real time, and certain feedback is made to a manager on the basis of log record, and the security and reliability of the operating system are ensured; in addition, on the basis of the perfection of log information, the running state of the system and the user behavior are monitored, potential hazards are pointed out, and meanwhile, the space consumption is reduced as much as possible.

The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure.

FIG. 4 illustrates a block diagram of a security monitoring device based on a microkernel operating system in accordance with an embodiment of the present disclosure. The apparatus may be implemented as part or all of an electronic device by software, hardware, or a combination of both. As shown in fig. 4, the security monitoring device based on the microkernel operating system includes:

a response module 401, configured to respond to a call request of an execution object of a user space to a system call interface in a microkernel operating system, and match a system call event type corresponding to the call request with pre-configured audit configuration information in the kernel space;

a recording module 402, configured to record, when the system call event type matches the audit configuration information, entry audit information when the system call interface enters kernel space operation in an audit context structure of the execution object, and record, when the system call interface exits, exit audit information also in the audit context structure of the execution object;

a first output module 403 configured to output the ingress and egress audit information in the audit context structure from the kernel space to an audit buffer of a user space upon exiting the system call interface.

In some embodiments, the audit context structure may be as follows:

struct audit_context{

enum audio_state;// audit state

unsigned int serial;// recorded serial number

struct timespec ctime time of entry of the/System call

int major;// System call number

unsigned long argv [4];// System call parameter

Long return_code;// System Call return code

int audiotable;// flag of whether it has been written to audit buffer

...

}。

In an alternative implementation of this embodiment, the apparatus further includes:

The first kernel-state log information and the second kernel-state log information generated by the kernel space may be output from the kernel space into a log buffer of the user space by a specially configured log output thread. Log information generated by the user space may be written by the corresponding thread into the log buffer of the user space. In some embodiments, the corresponding thread may be started after the security monitoring system is run.

the second calling module comprises:

In this alternative implementation, when exchanging two audit buffers, because the two audit buffers need to be locked respectively, the copy algorithm of the buffer contents can result in longer locking time, which affects the overall performance. Therefore, in the embodiment of the disclosure, when performing buffer exchange operation, addresses of two audit buffers are directly exchanged, a pointer pointing to the audit buffer Buff_1 when performing write operation is pointed to the audit buffer Buff_2, a pointer pointing to the Buff_2 when performing read operation is pointed to the Buff_1 by an audit read thread, and then subsequent read-write operation is performed, so that the purpose of exchanging buffers is achieved, and only the pointer is exchanged during operation in a critical area, so that the execution speed is higher. The design of the double buffer area mode only needs to ensure that one buffer area can write data and one buffer area can read data, so that when the audit output thread in the kernel mode writes into the buffer area, the execution of the audit output thread in the kernel mode cannot be blocked due to the low execution speed of the user mode, and the processing efficiency of the kernel mode is further improved.

In the embodiment of the disclosure, a large buffer area is not required to be established, but a double buffer area in an array form is set, the buffer areas used for read-write operation are separated and designed into two buffer areas, and thread blocking caused by longer locking time of the same buffer area can be avoided. Meanwhile, the buffer area in the array form is allocated once, so that frequent memory allocation and release can be avoided.

In an alternative implementation manner of this embodiment, in the double buffer mode of the log buffer, after the first log buffer that writes log information is full, the addresses of the first log buffer and the second log buffer are exchanged, so that the buffer pointer of the log output thread in kernel mode switches from the address of the first log buffer to the address pointing to the second log buffer in user space, and the buffer pointer of the log read thread that reads log information points to the address of the first log buffer.

the first output module includes:

The embodiment of the disclosure also provides a chip, which comprises the security monitoring device based on the microkernel operating system, the chip can be any chip capable of realizing the security monitoring process based on the microkernel operating system, and the device can be realized into part or all of the chip through software, hardware or a combination of the two. The security monitoring process based on the microkernel operating system can be referred to the above description of the security monitoring method based on the microkernel operating system, and will not be described herein.

The present disclosure also discloses an electronic device, fig. 5 shows a block diagram of the electronic device according to an embodiment of the present disclosure, and as shown in fig. 5, the electronic device 500 includes a memory 501 and a processor 502; wherein,,

the memory 501 is configured to store one or more computer instructions that are executed by the processor 502 to implement the method steps described above.

As shown in fig. 6, the computer system 600 includes a processing unit 601, which can execute various processes in the above-described embodiments according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data required for the operation of the computer system 600 are also stored. The processing unit 601, the ROM602, and the RAM603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.

The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608. The processing unit 601 may be implemented as a processing unit such as CPU, GPU, TPU, FPGA, NPU.

In particular, according to embodiments of the present disclosure, the methods described above may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a medium readable thereby, the computer program comprising program code for performing the method. In such an embodiment, the computer program can be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units or modules described in the embodiments of the present disclosure may be implemented by software, or may be implemented by hardware. The units or modules described may also be provided in a processor, the names of which in some cases do not constitute a limitation of the unit or module itself.

As another aspect, the present disclosure also provides a computer-readable storage medium, which may be a computer-readable storage medium included in the apparatus described in the above embodiment; or may be a computer-readable storage medium, alone, that is not assembled into a device. The computer-readable storage medium stores one or more programs for use by one or more processors in performing the methods described in the present disclosure.

The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by those skilled in the art that the scope of the invention referred to in this disclosure is not limited to the specific combination of features described above, but encompasses other embodiments in which any combination of features described above or their equivalents is contemplated without departing from the inventive concepts described. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).

Claims

1. The safety monitoring method based on the microkernel operating system is characterized in that the method is realized by adding a safety monitoring system on the microkernel operating system architecture, and the functions of the safety monitoring system are realized as a user space service program; the method comprises the following steps:

Responding to a call request of an execution object of a user space to a system call interface in a microkernel operating system, and matching a system call event type corresponding to the call request with pre-configured audit configuration information in the kernel space; detecting a call request of an execution object of a user space to a system call interface in a microkernel operating system by starting one or more detection threads in the user space;

outputting the entry audit information and the exit audit information in the audit context structure from the kernel space to an audit buffer area of a user space when exiting the system call interface; when the system call interface exits, one or more information output threads output the entry audit information and the exit audit information in the audit context structure to an audit buffer area of a user space;

Wherein, the audit buffer zone of the user space adopts a double buffer zone mode; under the double-buffer mode of the audit buffer, after the first audit buffer for writing audit information is fully written, the addresses of the first audit buffer and the second audit buffer are exchanged, so that the buffer pointer of the audit output thread in the kernel mode for writing audit information is switched from the address of the first audit buffer to the address of the second audit buffer in the user space, and the buffer pointer of the audit reading thread for reading audit information is directed to the address of the first audit buffer.

2. The method according to claim 1, wherein the method further comprises:

3. The method according to claim 2, wherein the method further comprises:

4. The method according to claim 2, wherein the method further comprises:

reading log information in the log buffer area in a user space;

5. The method according to claim 1, wherein the method further comprises:

acquiring user space audit information generated by a user space;

6. The method according to claim 1, wherein the method further comprises:

7. The method according to claim 4, wherein the method further comprises:

receiving a request for checking the log file by a user in a user space;

and outputting the log file to a user based on the viewing request.

8. The method according to claim 1, wherein the method further comprises:

reading audit information in the audit buffer area in a user space;

9. The method of claim 8, wherein the method further comprises:

receiving a request for checking the audit file in a user space by a user;

10. The method according to claim 8 or 9, characterized in that the method further comprises:

and deleting the corresponding pointer in the audit buffer list.

11. The method according to claim 1, wherein the method further comprises:

establishing an idle audit buffer area;

requesting an idle audit buffer from the idle audit buffer list;

12. The method of claim 11, wherein the method further comprises:

13. The method of claim 8, wherein the method further comprises:

14. The safety monitoring device based on the microkernel operating system is characterized in that the device is realized by adding a safety monitoring system on the microkernel operating system architecture, and the functions of the safety monitoring system are realized as a user space service program; the device comprises:

the response module is configured to respond to a call request of an execution object of the user space to a system call interface in the microkernel operating system, and match a system call event type corresponding to the call request with preset audit configuration information in the kernel space; detecting a call request of an execution object of a user space to a system call interface in a microkernel operating system by starting one or more detection threads in the user space;

the first output module is configured to output the entry audit information and the exit audit information in the audit context structure from the kernel space to an audit buffer of a user space when exiting the system call interface; when the system call interface exits, one or more information output threads output the entry audit information and the exit audit information in the audit context structure to an audit buffer area of a user space;

15. The apparatus of claim 14, wherein the apparatus further comprises:

16. The apparatus of claim 15, wherein the apparatus further comprises:

The third writing module is used for writing the second kernel-state log information generated by the kernel space into the log buffer area; the second kernel-state log information is generated in the kernel space by a non-system call interface.

17. The apparatus of claim 15, wherein the apparatus further comprises:

18. The apparatus of claim 14, wherein the apparatus further comprises:

19. The apparatus of claim 14, wherein the apparatus further comprises:

20. The apparatus of claim 18, wherein the apparatus further comprises:

21. The apparatus of claim 14, wherein the apparatus further comprises:

and the second calling module is configured to call a file system interface to output the audit information in the audit buffer area to an audit file.

22. The apparatus of claim 21, wherein the apparatus further comprises:

23. The apparatus according to claim 21 or 22, characterized in that the apparatus further comprises:

the second calling module comprises:

24. The apparatus of claim 14, wherein the apparatus further comprises:

the first output module includes:

25. The apparatus of claim 24, wherein the apparatus further comprises:

26. The apparatus of claim 21, wherein the apparatus further comprises:

27. An electronic device comprising a memory, a processor, and a computer program stored on the memory, wherein the processor executes the computer program to implement the method of any of claims 1-13.

28. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method of any of claims 1-13.

29. A chip for executing instructions to be executed by the chip to implement the method steps of any one of claims 1-13.