Search

CN-122001766-A - Configuration checking method and device

CN122001766ACN 122001766 ACN122001766 ACN 122001766ACN-122001766-A

Abstract

The application provides a configuration checking method and device, relates to the field of communication, and can improve the accuracy of security configuration checking so as to better prevent the security risk of a network system. In the method, a first device acquires first security baseline information, wherein the first security baseline information is described through a yang language, the first security baseline information comprises configuration constraints of a first configuration item and path information of the first configuration item, the path information is used for indicating the position of the first configuration item, the first device acquires a first configuration value of the first configuration item according to the path information, and the first device checks the first configuration item based on the first security baseline information and the first configuration value of the first configuration item to obtain a first result, and the first result indicates whether the first configuration value of the first configuration item meets the configuration constraints or not.

Inventors

  • PAN WEI
  • WU BO
  • QIAN CHENG
  • CHEN YAN

Assignees

  • 华为技术有限公司

Dates

Publication Date
20260508
Application Date
20241108

Claims (15)

  1. 1. A configuration checking method, comprising: Acquiring first security baseline information, wherein the first security baseline information is described through yang language, and the first security baseline information comprises configuration constraints of a first configuration item and path information of the first configuration item, and the path information is used for indicating the position of the first configuration item; acquiring a first configuration value of the first configuration item according to the path information; The first configuration item is checked based on the first security baseline information and a first configuration value of the first configuration item to obtain a first result, the first result indicating whether the first configuration value of the first configuration item satisfies the configuration constraint.
  2. 2. The method of claim 1, wherein the first security baseline information is based on an instance of a first yang model definition that defines a format describing the configuration constraints and the path information, the first result is based on an instance of a second yang model definition that defines a format describing the first result.
  3. 3. The method of claim 1 or 2, wherein the first security baseline information further comprises a software version corresponding to the first configuration item.
  4. 4. A method according to any one of claims 1 to 3, wherein the first configuration item comprises a first sub-configuration item, and wherein the obtaining a first configuration value of the first configuration item according to the path information comprises: acquiring a first configuration value of the first sub-configuration item according to the path information; the checking the first configuration item based on the first security baseline information and the first configuration value includes: Checking the first sub-configuration item based on the first security baseline information and the first configuration value of the first sub-configuration item to obtain a second result, wherein the second result indicates whether the first configuration value of the first sub-configuration item meets the configuration constraint.
  5. 5. The method of claim 4, wherein after the checking the first sub-configuration item based on the first security baseline information and the first configuration value of the first sub-configuration item, the method further comprises: and when the second result indicates that the first configuration value of the first sub-configuration item does not meet the configuration constraint, sending first information, wherein the first information is used for indicating that the first sub-configuration item has security risk.
  6. 6. The method of any of claims 1 to 5, wherein the first security baseline information further comprises a first tag of the first configuration item, the first tag of the first configuration item being used to indicate that the first configuration item is associated with a security configuration, the obtaining the first security baseline information comprising: acquiring second security baseline information, wherein the second security baseline information comprises the first security baseline information, the second security baseline information comprises first tags of a plurality of configuration items, the first tags of the plurality of configuration items are used for indicating whether the plurality of configuration items are associated with security configuration or not, and the plurality of configuration items comprise the first configuration item; and determining the first security baseline information from the second security baseline information according to the first tags of the configuration items.
  7. 7. The method of any of claims 1 to 6, wherein the first security baseline information further comprises a second tag of the first configuration item, the second tag of the first configuration item indicates that a security configuration type of the first configuration item is a first type, the obtaining the first security baseline information comprises: Acquiring third security baseline information, wherein the third security baseline information comprises the first security baseline information, the third security baseline information comprises second tags of a plurality of configuration items, the second tags of the plurality of configuration items are used for indicating security configuration types of the plurality of configuration items, and the plurality of configuration items comprise the first configuration item; And when the first type of configuration items are checked, determining the first security baseline information from the third security baseline information according to the second labels of the plurality of configuration items.
  8. 8. The method according to any of claims 1 to 7, wherein the method is applied to a first network element device, and the obtaining the first security baseline information comprises: acquiring the first security baseline information from a local or cloud; after the checking the first configuration item based on the first security baseline information and the first configuration value of the first configuration item, the method further includes: And sending the first result to a first controller.
  9. 9. The method of claim 8, wherein prior to the obtaining the first security baseline information from the local or cloud, the method further comprises: Receiving second information sent by the first controller, wherein the second information is defined based on a third yang model, the third yang model defines a format describing a third label and a fourth label, the third label is used for indicating to check all configuration items associated with security configuration, and the fourth label is used for indicating to check the configuration items with the security configuration type being a target type.
  10. 10. The method according to any one of claims 1 to 7, wherein the method is applied to a single domain controller, and the acquiring the first security baseline information includes: Receiving the first security baseline information sent by second network element equipment; after the checking the first configuration item based on the first security baseline information and the first configuration value of the first configuration item, the method further includes: and sending the first result to a cross-domain controller.
  11. 11. A communication device is characterized by comprising a communication interface and a processor; the communication interface and the processor perform the method of any one of claims 1 to 10.
  12. 12. A communication device, comprising: a transceiver unit for performing the transceiving operations in the method according to any of claims 1 to 10; A processing unit for performing operations other than the transceiving operations in the method according to any of claims 1 to 10.
  13. 13. A computer readable storage medium, characterized in that the medium stores instructions which, when executed by a processor, implement the method of any one of claims 1 to 10.
  14. 14. A computer program product comprising instructions which, when run on a processor, perform the method of any of claims 1 to 10.
  15. 15. A chip comprising at least one processing unit and interface circuitry for providing program instructions or data to the at least one processing unit, the at least one processing unit being adapted to execute the program instructions to implement the method of any one of claims 1 to 10.

Description

Configuration checking method and device Technical Field The embodiment of the application relates to the field of communication, in particular to a configuration checking method and device. Background With the development of communication technology, it is increasingly important to maintain the security of network systems. In order to maintain the security of the network system, security configuration checks need to be performed on the network element devices. Security configuration verification refers to the rapid identification of risky behavior and the reduction of attack by examining individual configuration items related to the security configuration. For example, a current configuration value of a configuration item of the network element device related to the security configuration may be obtained, and then it is determined whether the current configuration value accords with a configuration constraint in the security baseline information, if so, it indicates that there is no security risk, and if not, it indicates that there is a security risk. For security configuration verification, manufacturers of network element devices and the like can formulate security baseline information according to standards, specifications and application practices, and the security baseline information can be in the form of a table, wherein the security baseline information related to configuration items is defined in the table. However, on the one hand, the table requires manual maintenance, which results in error-prone security baseline information, which may lead to inaccurate security configuration verification results. On the other hand, the related configuration values obtained in the security configuration checking process are not complete, so that the security configuration checking result is inaccurate. Therefore, how to improve the accuracy of security configuration verification is a technical problem to be solved. Disclosure of Invention The application provides a configuration checking method and a configuration checking device, which can describe security baseline information through yang language, reduce the probability of error occurrence of the security baseline information caused by manual errors, help to obtain the configuration values of configuration items more comprehensively by introducing path information of the configuration items into the security baseline information, avoid missing the configuration values of the configuration items, and improve the accuracy of security configuration checking, thereby better preventing the security risk of a network system. The first aspect of the present application provides a configuration checking method, which is performed by the first device, or which is performed by a part of the components (e.g. a processor, a chip or a system-on-chip, etc.) in the first device, or which may be implemented by a logic module or software which is capable of implementing all or part of the functions of the first device. In a first aspect and possible implementation manners thereof, describing by a first device in an execution example of the configuration checking method, the first device acquires first security baseline information, where the first security baseline information is described by yang language, the first security baseline information includes configuration constraints of a first configuration item and path information of the first configuration item, the path information is used for indicating a position of the first configuration item, the first device acquires a first configuration value of the first configuration item according to the path information, and the first device checks the first configuration item based on the first security baseline information and the first configuration value of the first configuration item to obtain a first result, where the first result indicates whether the first configuration value of the first configuration item meets the configuration constraints. In the first aspect, first, since the first security baseline information is described by the yang language, and the yang language has a simple and understandable property, the first device can understand and process the first security baseline information described by the yang language, so that the first device can directly perform partial maintenance on the first security baseline information, dependence on manpower in the maintenance process of the security baseline information can be reduced, probability of error occurrence of the security baseline information due to human error is reduced, and the security configuration checking process needs to be based on the security baseline information, so that the accuracy of security configuration checking can be improved by reducing the probability of error occurrence of the security baseline information. Second, since the first security baseline information includes the path information of the first configuration item, the first