摘 要:文章涉及的业务系统有较大的商业、经济和政治价值,为了应对黑产和国家级组织等高级别威胁,在日志审计方面,针对业务系统审计日志的全面性、扩展性,日志信息是否满足业务和安全运维人员的工作需要,以及实现整个技术栈中各类异构日志的关联分析等问题,分别进行了研究,并提出了基于安全需求和行业最佳实践的安全日志规范,在日志处理时通过“丰富化”技术对原始日志字段扩展出业务信息字段,以及定义标准日志模型并对各类日志实现标准化处理和统一存储等解决方法。相关设计已在实际项目中得到应用,达到了预定目标。
关键词:日志;审计日志规范;丰富化;日志格式标准
DOI:10.19850/j.cnki.2096-4706.2022.21.006
中图分类号:TP311 文献标识码:A 文章编号:2096-4706(2022)21-0025-04
The Design and Application of a Log Audit System
SUN Dongxu
(China National Petroleum Corporation, Beijing 100010, China)
Abstract: The business system involved in this paper has great commercial, economic and political value. In order to deal with high-level threats such as black production and national organizations, in terms of log audit, we have studied the comprehensiveness and scalability of the business system audit log, whether the log information meets the work needs of business and security operation and maintenance personnel, and how to achieve the correlation analysis of various heterogeneous logs in the entire technology stack. It also puts forward security log specifications based on security requirements and industry best practices, during log processing, business information fields expanded from original log fields through “enrichment” technology, and solutions such as defining standard log models and implementing standardized processing and unified storage on various logs. The relevant design has been applied in the actual project and achieved the predetermined goal.
Keywords: log; audit log specification; enrichment; log format standard
参考文献:
[1] 全国信息安全标准化技术委员会 . 信息安全技术网络安全等级保护基本要求 :GB/T 22239—2019 [S]. 北京:中国标准出版社,2019.
[2] OWASP. OWASP Top Ten [EB/OL].[2022-07-15].https:// owasp.org/www-project-top-ten/.
[3] 阿里云 . 敏感数据保护 [EB/OL].[2022-07-15].https:// help.aliyun.com/product/88674.html.
[4] 百度百科 . 数据隐私保护 [EB/OL].[2022-07-15].https:// baike.baidu.com/item/%E6%95%B0%E6%8D%AE%E9%9A%90%E 7%A7%81%E4%BF%9D%E6%8A%A4/7540560?fr=aladdin.
[5] microsoft. Security auditing [EB/OL].[2022-07-15].https:// docs.microsoft.com/en-us/windows/security/threat-protection/auditing/ security-auditing-overview.
[6] elastic. Enrich Processor [EB/OL].[2022-07-15].https://www. elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html.
[7] elastic. ECSOverview [EB/OL].[2022-07-15].https://www. elastic.co/guide/en/ecs/current/ecs-reference.html.
作者简介:孙东旭(1988—),男,汉族,吉林吉林人,工程师,硕士,主要研究方向:网络安全项目建设和管理研究方向。