The state of a system can include but is not limited to, the existence of files on a storage system, file permissions, file content, file permissions, registry key existence, registry key permissions, registry values, system software versions, kernel software versions, system variables, network configuration, hardware configuration, data structures within the operating system kernel, hardware state, processor states, database configuration, database content, and user permission levels. For security purposes, system auditing, or system compliance checking, there is a need to quickly and with minimal impact capture and analyze the state of a system.
The present state of the art uses individual software agents installed on each processing system to capture and analyze the system state. However, as discussed below there are several disadvantages to this configuration.
The system shown in FIG. 1A shows one embodiment of a prior art system 100 utilizing a software agent 120A-120C to provide a state check of the processing system. The embodiment of the computational system 100 shown includes system software 110, kernel software 130, the computational hardware 140 on which the system software 110 and kernel software 130 runs, and a storage system 150. The system software 110 includes application software for performing task specific operations. The kernel software 130 typically includes an operating system such an Unix, Linx; Microsoft NT, XP, Windows Vista®, and Windows Server® operating systems. The hardware 150 can be based on any commonly found CPU, memory, networking hardware, and other supporting hardware. The agents can be located within the system software, with the kernel, or with the hardware. Usually only one agent is found at either the system, kernel, or hardware level within a system.
In one configuration, an agent 120A located with the system software, is used to capture and analyze the state of the system 100. The agent 120A runs as a separate process(es) or application concurrently with the other system software 110. Disadvantages of a system software based agent 120A is that the agent 120A consumes large amounts of system resources such as CPU processing cycles, storage system bandwidth, and storage system space for taking state snapshots. Further, if the agent runs in parallel with the system software, the system configuration could change while capturing the system state and thus the agent can only report the system state at points within a potentially large time window. A further disadvantage of a system software based agent is that such an agent is limited in the scope of system state information that can be analyzed. A system software based agent 120A does not have access to the operating system kernel data structures and thus has limited ability to analyze the state of the kernel, or evaluate the kernel for viruses or root kits.
In a second configuration, a kernel based agent 120B is used to capture and analyze the state of the system 100. This configuration enables the agent to check a broader scope of state information including checks on the kernel data structures. However, this configuration has the same drawbacks as the first configuration. Specifically, the kernel based agent 120B consumes a significant amount of CPU cycles, storage system bandwidth, and storage space.
In a third configuration, a hardware based agent 120C is used to capture and analyze the state information of the system. A hardware board agent 120C is connected to the hardware 140. When a state check is to be performed, the hardware board agent 120C stops the processor and examines files, registries, system software states, and examines kernel data structures. Typically, the computational hardware 140 is stopped during the state snapshot capture and analysis. This implementation has the disadvantage of stopping the CPU and thus the computing system 100 unavailable during the state check. Further, the extra hardware required has the additional disadvantage that the hardware based agent board 120C can reduce the reliability of the system, and increase the power usage. Further, the cost varies with the number of server cards given that an agent board 120C is required for each server card. Further, a hardware board agent can introduce security issues of physically having to gain access to the hardware.
FIG. 1B illustrates a typical prior art data center 100B where many of processing units 110A-110n can be grouped. Each of the processing unit 110A-110n can be a stand alone server or a server blade, each having its own kernel (operating system). Each processor unit 110A-110n has an agent 120A-120n running on the processor. Such a configuration of servers has two drawbacks. First, each of the agents consumes a large amount of computational processing power for each processor. Secondly, the installation, maintenance, and update of hundreds of agents 120A-120n can be costly and time consuming.
FIG. 1C illustrates another prior art configuration 100C of processing units running guest machines 160A-160n. A guest machine 160 typically includes application software and a kernel that interfaces with the computational hardware and system resources through the virtual machine layer 170. The virtual machine layer 170 makes it appear to each guest machine that it is exclusively running on the hardware 180. Again each guest machine 160A-160n has agent software 120A-120n, each of which demands from the hardware 180 computation processing power to execute, and the time and expense to install, maintain, and upgrade. The drain on system resources, processing power and time for maintenance increases linearly with each additional guest machine. This configuration does not provide economies of scale with an increasing number of guest machines.
What is needed is a means to analyze the state of an electronic system with minimal impact to a performance of the system, a state analysis solution that is easy to maintain, and does not reduce the reliability of a system.