Information processing apparatus, computer program product, and information processing system

What is claimed is: 1. An information processing apparatus comprising: a hardware processor configured to execute an operating system and execute application computer program under control of the operating system; and a list storage device configured to store therein an allow list for each application computer program for each type of module processing, the allow list describing an execution-permitted system operation, the module processing being processing executed with a computer program component managed with the operating system, the system operation being an operation calling a function incorporated in the operating system and causing the function to execute processing in the process, wherein the processor is configured to: detect that any of system operations is executed; specify a target process serving as a process that has executed execution-detected system operation, the process being processing executed with an application computer program being executed; specify a target operation log serving as an operation log indicating history of a processing content of the target process; specify a type of target module processing serving as the module processing that has executed the execution-detected system operation, by analyzing the target operation log; and output anomaly information indicating that an anomaly occurs, when the allow list for the type of the target module processing of the application computer program corresponding to the target process does not include the execution-detected system operation; the list storage device stores therein the allow list for one of predetermined specific types or each of two or more of the predetermined specific types of the module processing and the allow list for a general type; the general type is a type indicating all types that are not included in one of the specific types or two or more of the specific types, in a unified manner; in the process, at starting of the module processing, the processor records start information indicating the type of the module processing and indicating that the module processing is started on the operation log, and at finishing of the module processing, the processor records finish information indicating the type of the module processing and indicating that the module processing is finished on the operation log; and in specifying the type of the target module processing, the processor detects last start information serving as the start information lastly recorded on the target operation log, specifies the type of the target module processing as the type of the module processing corresponding to the last start information, when the type of the module processing corresponding to the last start information is the one of the specific types or the two or more of the specific types and the finish information of the module processing corresponding to the last start information does not exist after the last start information, and specifies the type of the target module processing as the general type, when the type of the module processing corresponding to the last start information is not one of the specific types or two or more of the specific types or the finish information of the module processing corresponding to the last start information exists after the last start information. 2. The information processing apparatus according to claim 1 , wherein in detecting that the system operation is executed, the processor detects that a specific system operation serving as the system operation determined in advance is executed, and specifies a processing target for the specific system operation execution of which is detected, the allow list describes sets each composed of the execution-permitted system operation and the processing target for which the system operation is permitted, and in outputting the anomaly information, the processor outputs the anomaly information when the allow list for the type of the target module processing does not include a set of the execution-detected system operation and the specified processing target. 3. A computer program product having a non-transitory computer readable medium including programmed instructions, wherein the instructions, when executed by an information processing apparatus including a processor configured to execute an operating system and execute application computer programs under control of the operating system, and a list storage configured to store therein an allow list for each application computer program and for each type of module processing, the allow list describing an execution-permitted system operation, cause the processor to function as a monitoring device and cause the processor to perform: detecting that any of system operations is executed; specifying a target process serving as a process that has executed execution-detected system operation, the process being processing executed with an application computer program being executed; specifying a target operation log serving as an operation log indicating history of a processing content of the target process; specifying a type of target module processing serving as the module processing that has executed the execution-detected system operation, by analyzing the target operation log, the module processing being processing executed with a computer program component managed with the operating system, the system operation being an operation calling a function incorporated in the operating system and causing the function to execute processing in the process; and outputting anomaly information indicating that an anomaly occurs, when the allow list for the type of the target module processing of the application computer program corresponding to the target process does not include the execution-detected system operation, wherein the list storage stores therein the allow list for one of predetermined specific types or each of two or more of the predetermined specific types of the module processing and the allow list for a general type; the general type is a type indicating all types that are not included in one of the specific types or two or more of the specific types, in a unified manner; in the process, the instructions cause the processor to perform: at starting of the module processing, recording start information indicating the type of the module processing and indicating that the module processing is started on the operation log, and at finishing of the module processing, recording finish information indicating the type of the module processing and indicating that the module processing is finished on the operation log; and in specifying the type of the target module processing, the instructions cause the processor to perform: detecting last start information serving as the start information lastly recorded on the target operation log, specifying the type of the target module processing as the type of the module processing corresponding to the last start information, when the type of the module processing corresponding to the last start information is the one of the specific types or the two or more of the specific types and the finish information of the module processing corresponding to the last start information does not exist after the last start information, and specifying the type of the target module processing as the general type, when the type of the module processing corresponding to the last start information is not one of the specific types or two or more of the specific types or the finish information of the module processing corresponding to the last start information exists after the last start information. 4. An information processing system comprising: an information processing apparatus; one or more target devices; and a controller configured to control one or more of the target devi