Enforcing alignment of approved changes and deployed changes in the software change life-cycle

US 7,757,269 B1
Filed: 02/02/2006
Issued: 07/13/2010
Est. Priority Date: 02/02/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

intercepting a host content change request indicating a change to a persistent object on a host;

determining whether the change is authorized, as indicated by a set of change authorization policies;

allowing the change to take effect when the change is authorized;

blocking the change from taking effect when the change is not authorized;

indicating whether the change was a “

create”

, “

delete”

, “

rename”

, “

move”

or “

write”

operation, or whether the change set or modified an attribute of the persistent object;

indicating a time at which the change occurred;

indicating one or more attributes of the changed object after the change takes effect;

indicating information about which end user initiated the change; and

indicating a set of one or more differences for one or more changed portions of the object after the change, wherein each policy in the set of change authorization policies is in the group comprising;

policies indicating a set of persistent objects that can be changed without restriction;

policies indicating a set of users, programs or entities that can make changes to a specified set of persistent objects at any time; and

policies indicating a set of users, programs or entities that can make changes to a specified set of files or directories during one or more specified time windows.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

On a host, host content change requests are intercepted in real-time. In a tracking mode, the change requests are logged and allowed to take effect on the host. In an enforcement mode, the change requests are logged and additionally compared against authorized change policies and a determination is made whether to allow the change to take effect or to block the changes, thereby enforcing the authorized change policies on the host. Tracking and enforcement can be done in real-time. In either mode and at any time, the logged changes can be reconciled against a set of approved change orders in order to identify classes of changes, including changes that were deployed but not approved and changes that were approved but not deployed.

162 Citations

View as Search Results

16 Claims

1. A method, comprising:
- intercepting a host content change request indicating a change to a persistent object on a host;
  
  determining whether the change is authorized, as indicated by a set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  blocking the change from taking effect when the change is not authorized;
  
  indicating whether the change was a “
  
  create”
  
  , “
  
  delete”
  
  , “
  
  rename”
  
  , “
  
  move”
  
  or “
  
  write”
  
  operation, or whether the change set or modified an attribute of the persistent object;
  
  indicating a time at which the change occurred;
  
  indicating one or more attributes of the changed object after the change takes effect;
  
  indicating information about which end user initiated the change; and
  
  indicating a set of one or more differences for one or more changed portions of the object after the change, wherein each policy in the set of change authorization policies is in the group comprising;
  
  policies indicating a set of persistent objects that can be changed without restriction;
  
  policies indicating a set of users, programs or entities that can make changes to a specified set of persistent objects at any time; and
  
  policies indicating a set of users, programs or entities that can make changes to a specified set of files or directories during one or more specified time windows.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein the determining, the allowing and the blocking are performed in real-time.
  - 3. The method as recited in claim 1, further comprising:
    - logging information about the host content change request.
  - 4. The method as recited in claim 1, wherein:
    - the indicated one or more attributes of the changed object comprise object name, object type, object size, object path, or object permissions; and
      
      the information about which end user initiated the change comprises a user name, user ID or group ID when the change was initiated by a user, or a name of a program or executable file when the change was initiated by a program or executable file.
  - 5. The method as recited in claim 1, further comprising:
    - generating an alert when the change is not authorized.
  - 6. The method as recited in claim 1, wherein the change comprises creating, deleting, moving, renaming, writing to, or modifying an attribute of the persistent object.
  - 7. The method as recited in claim 1, wherein the blocking is performed regardless of any access control privileges an entity attempting the change might possess on the host.
  - 8. The method as recited in claim 1, further comprising:
    - generating a change order for the change when the deployed change is not authorized.
  - 9. The method as recited in claim 8, further comprising:
    - making the change order available to a change approval process.

10. A computer readable medium having computer-executable instructions for tracking of host content changes and enforcement of change authorization policies on a host, the instructions for performing steps comprising:
- intercepting a host content change request indicating a change to a persistent object on the host;
  
  determining whether the change is authorized, as indicated by the set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  blocking the change from taking effect when the change is not authorized;
  
  indicating whether the change was a “
  
  create”
  
  , “
  
  delete”
  
  , “
  
  rename”
  
  , “
  
  move”
  
  or “
  
  write”
  
  operation, or whether the change set or modified an attribute of the persistent object;
  
  indicating a time at which the change occurred;
  
  indicating one or more attributes of the changed object after the change takes effect;
  
  indicating information about which end user initiated the change; and
  
  indicating a set of one or more differences for one or more changed portions of the object after the change, wherein each policy in the set of change authorization policies is in the group comprising;
  
  policies indicating a set of persistent objects that can be changed without restriction;
  
  policies indicating a set of users, programs or entities that can make changes to a specified set of persistent objects at any time; and
  
  policies indicating a set of users, programs or entities that can make changes to a specified set of files or directories during one or more specified time windows.

11. A computer readable medium comprising data indicating a set of change authorization policies for real-time tracking of host content changes and enforcement of authorized change policies on a host, the change authorization policies indicating one or more of:
- a set of persistent objects that can be changed without restriction;
  
  a set of users, programs or entities that can make changes to a specified set of persistent objects at any time; and
  
  a set of users, programs or entities that can make changes to a specified set of persistent objects during one or more specified time windows, wherein the change authorization policies are for use by an agent for;
  
  intercepting a host content change request indicating a change to a persistent object on the host;
  
  determining whether the change is authorized, as indicated by the set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  blocking the change from taking effect when the change is not authorized;
  
  indicating whether the change was a “
  
  create”
  
  , “
  
  delete”
  
  , “
  
  rename”
  
  , “
  
  move”
  
  or “
  
  write”
  
  operation, or whether the change set or modified an attribute of the persistent object;
  
  indicating a time at which the change occurred;
  
  indicating one or more attributes of the changed object after the change takes effect;
  
  indicating information about which end user initiated the change; and
  
  indicating a set of one or more differences for one or more changed portions of the object after the change.

12. A host, comprising:
- a management module for managing one or more persistent objects on the host, the management module being configured to interface with a processor and with a controller for;
  
  intercepting a host content change request indicating a change to a persistent object on the host;
  
  determining whether the change is authorized, as indicated by a set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  blocking the change from taking effect when the change is not authorized, whereby the controller can track host content changes and enforce authorized change policies on the host;
  
  indicating whether the change was a “
  
  create”
  
  , “
  
  delete”
  
  , “
  
  rename”
  
  , “
  
  move”
  
  or “
  
  write”
  
  operation, or whether the change set or modified an attribute of the persistent object;
  
  indicating a time at which the change occurred;
  
  indicating one or more attributes of the changed object after the change takes effect;
  
  indicating information about which end user initiated the change; and
  
  indicating a set of one or more differences for one or more changed portions of the object after the change, wherein each policy in the set of change authorization policies is in the group comprising;
  
  policies indicating a set of persistent objects that can be changed without restriction;
  
  policies indicating a set of users, programs or entities that can make changes to a specified set of persistent objects at any time; and
  
  policies indicating a set of users. programs or entities that can make changes to a specified set of persistent objects during one or more specified time windows.
- View Dependent Claims (13)
- - 13. The host as recited in claim 12, wherein the determining, the allowing and the blocking are performed in real-time.

14. A method to generate a display, on a display device, representing approved change orders and deployed changes on a host, comprising:
- allocating a first portion of the display device to correspond to one or more approved change orders for one or more hosts;
  
  allocating a second portion of the display device to correspond to one or more deployed changes on the one or more hosts;
  
  within the first portion, displaying a shape for each of the approved change orders;
  
  within the second portion, displaying a shape for each of the deployed changes; and
  
  representing each shape in the second portion as matched to a particular shape in the first portion when the deployed change indicated by the shape in the second portion corresponds to the approved change order indicated by the particular shape in the first portion, wherein the representing comprises coloring the particular shape in the first portion and the matched shapes in the second portion with a same color.
- View Dependent Claims (15, 16)
- - 15. The method as recited in claim 14, further comprising:
    - receiving input from a user indicating a particular shape in the first portion; and
      
      modifying the display to highlight a set of one or more shapes in the second portion which indicate deployed changes that correspond to the approved change order represented by the particular shape in the first portion.
  - 16. The method as recited in claim 14, further comprising:
    - receiving input from a user indicating a particular shape in the second portion; and
      
      modifying the display to;
      
      (a) highlight a particular shape in the first portion that indicates an approved change order corresponding to the deployed change indicated by the particular shape in the second portion; and
      
      (b) highlight a set of one or more shapes in the second portion as matching with the highlighted particular shape in the first portion, the set comprising shapes that indicate deployed changes corresponding to the approved change order.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sebes, E. John, Roy-Chowdhury, Rahul, Vaishnav, Jay
Primary Examiner(s)
Song; Hosuk

Application Number

US11/346,741
Time in Patent Office

1,622 Days
Field of Search

713165-167, 726 1- 7, 726 26- 30
US Class Current

726/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

G06F 2221/2101   Auditing as a secondary aspect

G06F 8/65   Updates security arrangemen...

G06F 8/70   Software maintenance or man...

G06F 8/71   Version control security ar...

G06Q 10/06   Resources, workflows, human...

H04L 63/102   Entity profiles

H04L 67/34   involving the movement of s...

H04L 67/55   Push-based network services

Enforcing alignment of approved changes and deployed changes in the software change life-cycle

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

162 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing alignment of approved changes and deployed changes in the software change life-cycle

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links