看到标题,大家可能会说直接用lsof呗,如果是这么简单我还何必写此文呢?某些应用场景下用lsof或者strace分析不出来某个特定进程访问过哪些文件,或者正在访问哪些文件,这时候就是sysdig出场来解决啦。之前的文章介绍过了sysdig的基本语法,今天来说说分析某个进程正在访问的文件都有哪些?抛砖引玉。

比如我们拿登录Ubuntu系统时,显示系统信息这个事情,如果是CentOS系统,很容易就在/etc/motd文件里面显示,但是Ubuntu系统是动态显示的,每次登录系统,都会显示系统负载,CPU, 磁盘使用率等信息:

Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64)* Documentation:  https://help.ubuntu.com/System information as of Thu Apr 28 14:31:27 UTC 2016System load:  0.06              Processes:           142Usage of /:   88.2% of 7.74GB   Users logged in:     1Memory usage: 40%               IP address for eth0: *.*.*.*Swap usage:   0%=> / is using 88.2% of 7.74GBGraph this data and manage this system at:https://landscape.canonical.com/Get cloud support with Ubuntu Advantage Cloud Guest:http://www.ubuntu.com/business/services/cloud
0 packages can be updated.
0 updates are security updates.
*** System restart required ***
Last login: Thu Apr 28 14:31:28 2016 from *.*.*.*

比如对这个信息好奇,系统是如何实现的呢?如果用strace来分析的话也不是不行,今天我们就用sysdig来分析一下这个登录过程sshd都调用过哪些函数,访问过哪些脚本来生成了这个开头信息。

首先在第一个shell运行:

sysdig -w sshd.scap

然后在第二个shell中登录当前系统,登陆完成后中断sysdig命令,读取一下看看:

sysdig -pc -A -r sshd.scap

产生的信息如下:

79 14:32:07.130531917 0 host (host) sshd (22765:22765) < select res=1
80 14:32:07.130535457 0 host (host) sshd (22765:22765) > rt_sigprocmask
81 14:32:07.130536595 0 host (host) sshd (22765:22765) < rt_sigprocmask
82 14:32:07.130536896 0 host (host) sshd (22765:22765) > rt_sigprocmask
83 14:32:07.130537157 0 host (host) sshd (22765:22765) < rt_sigprocmask
84 14:32:07.130539435 0 host (host) sshd (22765:22765) > clock_gettime
85 14:32:07.130540163 0 host (host) sshd (22765:22765) < clock_gettime
86 14:32:07.130543216 0 host (host) sshd (22765:22765) > read fd=3(<4t>114.248.207.97:12148->My serverIP:**) size=16384
87 14:32:07.130551426 0 host (host) sshd (22765:22765) < read res=52 data=
%v+R%oN<vV74xB2zkX
6
2
88 14:32:07.130565762 0 host (host) sshd (22765:22765) > clock_gettime
89 14:32:07.130566078 0 host (host) sshd (22765:22765) < clock_gettime
90 14:32:07.130567618 0 host (host) sshd (22765:22765) > select
91 14:32:07.130569947 0 host (host) sshd (22765:22765) < select res=1
92 14:32:07.130570300 0 host (host) sshd (22765:22765) > rt_sigprocmask
93 14:32:07.130570536 0 host (host) sshd (22765:22765) < rt_sigprocmask
94 14:32:07.130570785 0 host (host) sshd (22765:22765) > rt_sigprocmask
95 14:32:07.130571005 0 host (host) sshd (22765:22765) < rt_sigprocmask
96 14:32:07.130571285 0 host (host) sshd (22765:22765) > clock_gettime
97 14:32:07.130571553 0 host (host) sshd (22765:22765) < clock_gettime
98 14:32:07.130572239 0 host (host) sshd (22765:22765) > write fd=9(<f>/dev/ptmx) size=1
99 14:32:07.130578512 0 host (host) sshd (22765:22765) < write res=1 data=100 14:32:07.130579618 0 host (host) sshd (22765:22765) > clock_gettime
101 14:32:07.130579908 0 host (host) sshd (22765:22765) < clock_gettime
102 14:32:07.130580347 0 host (host) sshd (22765:22765) > select
103 14:32:07.130582388 0 host (host) sshd (22765:22765) > switch next=46 pgft_maj=0 pgft_min=303 vm_size=103780 vm_rss=1888 vm_swap=0
104 14:32:07.130592298 0 host (host) sshd (22765:22765) < select res=1
105 14:32:07.130592681 0 host (host) sshd (22765:22765) > rt_sigprocmask
106 14:32:07.130592900 0 host (host) sshd (22765:22765) < rt_sigprocmask
107 14:32:07.130593139 0 host (host) sshd (22765:22765) > rt_sigprocmask
108 14:32:07.130593322 0 host (host) sshd (22765:22765) < rt_sigprocmask
109 14:32:07.130593653 0 host (host) sshd (22765:22765) > clock_gettime
110 14:32:07.130593836 0 host (host) sshd (22765:22765) < clock_gettime
111 14:32:07.130594664 0 host (host) sshd (22765:22765) > read fd=11(<f>/dev/ptmx) size=16384
112 14:32:07.130596295 0 host (host) sshd (22765:22765) < read res=2 data=

用strace -e read跟踪一下的结果如下,发现根本没法判断是读取的那个文件,只是一堆系统调用。

Warning: Permanently added '[52.192.*.*]:ssh port' (RSA) to the list of known hosts.
read(3, "\226f\27H|\304%\247\203\326z\243\345\361\21\350 \24\2669\365\334]g\361kj\300\347\215\361\247"..., 8192) = 48
read(3, "\235r\257P\217\274^\303\262\314\352\315\376\17\214\317\373\202\373\314\220d\223\276\344\35\271s\1\305\35\372"..., 8192) = 48
read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 1675
read(3, "\204\357\350\362\362\0312\377\344\335\312\333\220\237Z_Z\367H\312\1\r\242\322\300:\243\350\275 =\22", 8192) = 32
read(3, "\333\f\277\212\342\342\264n?,N\324'\255 Q\243wY[\224\17WVzM\200]X\23\354)"..., 8192) = 48read(3, "\360\336\244\3112\372\314\327\317\27>\21\335\204\36368u\227n\370n4C!W\360\4i~n\305"..., 8192) = 112read(3, "\177\204^x\v8n\322\300\17\3579\344\353\nv[\301a\7\3}\240dS\36\310\216P\23\276\351"..., 8192) = 816Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64)* Documentation:  https://help.ubuntu.com/System information as of Fri Apr 29 08:18:15 UTC 2016System load:  0.0               Processes:           138Usage of /:   88.5% of 7.74GB   Users logged in:     1Memory usage: 38%               IP address for eth0: *.*.*.*Swap usage:   0%

sysdig抓取了5256个登录过程中的系统调用,显然我们没时间去一行一行地分析。

下面想一下,既然是显示到终端上的,那事件应该是读取了某个文件吧,试试这样呢?

# sysdig -r sshlogin.scap -p   "%user.name  %evt.type=stat %evt.arg.name" proc.name=sshd
ser.name  vt.type=stat vt.arg.name" proc.name=sshd root  open=stat /proc/self/oom_score_adj
root  access=stat /etc/ld.so.nohwcap
root  access=stat /etc/ld.so.preload
root  open=stat /etc/ld.so.cache
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libwrap.so.0
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libaudit.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libpam.so.0
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libselinux.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /usr/lib/x86_64-linux-gnu/libck-connector.so.0
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libdbus-1.so.3
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libutil.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libz.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libcrypt.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
root  access=stat /etc/ld.so.nohwcap
root  open=stat /usr/lib/x86_64-linux-gnu/libkrb5.so.3
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libcom_err.so.2
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libc.so.6
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libnsl.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libdl.so.2
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libpcre.so.3
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libpthread.so.0
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/librt.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
root  access=stat /etc/ld.so.nohwcap
root  open=stat /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libkeyutils.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libresolv.so.2
root  open=stat /proc/filesystems
root  open=stat /dev/null
root  openat=stat /proc/2522/fd
root  open=stat /usr/lib/ssl/openssl.cnf
root  open=stat /dev/urandom
root  open=stat /etc/gai.conf
root  open=stat /etc/nsswitch.conf
root  open=stat /etc/ld.so.cache
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libnss_compat.so.2
root  open=stat /etc/ld.so.cache
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libnss_nis.so.2
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libnss_files.so.2
root  open=stat /etc/passwd
root  open=stat /etc/ssh/ssh_host_rsa_key
root  open=stat /etc/ssh/ssh_host_rsa_key
root  open=stat /etc/ssh/ssh_host_rsa_key
root  open=stat /etc/ssh/ssh_host_rsa_key
root  open=stat /etc/ssh/ssh_host_rsa_key.pub
root  open=stat /etc/ssh/ssh_host_dsa_key
root  open=stat /etc/ssh/ssh_host_dsa_key
root  open=stat /etc/ssh/ssh_host_dsa_key
root  open=stat /etc/ssh/ssh_host_dsa_key
root  open=stat /etc/ssh/ssh_host_dsa_key.pub
root  open=stat /etc/ssh/ssh_host_ecdsa_key
root  open=stat /etc/ssh/ssh_host_ecdsa_key
root  open=stat /etc/ssh/ssh_host_ecdsa_key
root  open=stat /etc/ssh/ssh_host_ecdsa_key
root  open=stat /etc/ssh/ssh_host_ecdsa_key.pub
root  open=stat /etc/ssh/ssh_host_ed25519_key
root  open=stat /etc/ssh/ssh_host_ed25519_key
root  open=stat /etc/ssh/ssh_host_ed25519_key
root  open=stat /etc/ssh/ssh_host_ed25519_key
root  open=stat /etc/ssh/ssh_host_ed25519_key.pub
root  open=stat /dev/null
root  open=stat /etc/ld.so.cache
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/tls/x86_64/libnss_db.so.2
root  open=stat /lib/x86_64-linux-gnu/tls/libnss_db.so.2
root  open=stat /lib/x86_64-linux-gnu/x86_64/libnss_db.so.2
root  open=stat /lib/x86_64-linux-gnu/libnss_db.so.2
root  open=stat /usr/lib/x86_64-linux-gnu/tls/x86_64/libnss_db.so.2
root  open=stat /usr/lib/x86_64-linux-gnu/tls/libnss_db.so.2
root  open=stat /usr/lib/x86_64-linux-gnu/x86_64/libnss_db.so.2
root  open=stat /usr/lib/x86_64-linux-gnu/libnss_db.so.2
root  open=stat /lib/tls/x86_64/libnss_db.so.2
root  open=stat /lib/tls/libnss_db.so.2
root  open=stat /lib/x86_64/libnss_db.so.2
root  open=stat /lib/libnss_db.so.2
root  open=stat /usr/lib/tls/x86_64/libnss_db.so.2
root  open=stat /usr/lib/tls/libnss_db.so.2
root  open=stat /usr/lib/x86_64/libnss_db.so.2
root  open=stat /usr/lib/libnss_db.so.2
root  open=stat /etc/protocols
root  open=stat /etc/hosts.allow
root  open=stat /etc/hosts.deny
root  open=stat /etc/passwd
root  open=stat /etc/pam.d/sshd
root  open=stat /etc/pam.d/common-auth
root  open=stat /lib/x86_64-linux-gnu/security/pam_unix.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_deny.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_permit.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_cap.so
root  open=stat /etc/ld.so.cache
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libcap.so.2
root  open=stat /lib/x86_64-linux-gnu/security/pam_nologin.so
root  open=stat /etc/pam.d/common-account
root  open=stat /lib/x86_64-linux-gnu/security/pam_selinux.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_loginuid.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_keyinit.so
root  open=stat /etc/pam.d/common-session
root  open=stat /lib/x86_64-linux-gnu/security/pam_umask.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_systemd.so
root  open=stat /etc/ld.so.cache
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libcgmanager.so.0
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libnih.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libnih-dbus.so.1
root  access=stat /etc/ld.so.nohwcap
root  open=stat /lib/x86_64-linux-gnu/libpam_misc.so.0
root  open=stat /lib/x86_64-linux-gnu/security/pam_motd.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_mail.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_limits.so
root  open=stat /lib/x86_64-linux-gnu/security/pam_env.so
root  open=stat /etc/pam.d/common-password
root  open=stat /etc/pam.d/other
root  open=stat /etc/pam.d/common-auth
root  open=stat /etc/pam.d/common-account
root  open=stat /etc/pam.d/common-password
root  open=stat /etc/pam.d/common-session
root  open=stat /proc/sys/kernel/ngroups_max
root  open=stat /etc/group
ubuntu  open=stat /home/ubuntu/.ssh/authorized_keys
ubuntu  open=stat /home/ubuntu/.ssh/authorized_keys
root  open=stat /var/run/nologin
root  open=stat /etc/nologin
root  open=stat /etc/login.defs
root  open=stat /etc/passwd
root  open=stat /etc/shadow
root  open=stat /etc/localtime
root  open=stat /etc/security/capability.conf
root  open=stat /etc/passwd
root  open=stat /proc/self/uid_map
root  open=stat /proc/self/loginuid
root  open=stat /etc/passwd
root  open=stat /etc/login.defs
root  open=stat /etc/login.defs
root  open=stat /etc/passwd
root  open=stat /etc/group
root  open=stat /etc/login.defs
root  access=stat /var/run/utmpx
root  open=stat /var/run/utmp
root  access=stat /proc/vz
root  open=stat /proc/1/environ
root  open=stat /proc/self/loginuid
root  open=stat /etc/passwd
root  open=stat /run/motd.dynamic
root  open=stat /etc/passwd
root  open=stat /etc/motd
root  open=stat /etc/passwd
root  open=stat /etc/passwd
root  open=stat /etc/passwd
root  open=stat /proc/1/limits
root  open=stat /etc/security/limits.conf
root  openat=stat /etc/security/limits.d
root  open=stat /etc/security/pam_env.conf
root  open=stat /etc/environment
root  open=stat /etc/security/pam_env.conf
root  open=stat /etc/default/locale
root  open=stat /etc/passwd
root  open=stat /proc/sys/kernel/ngroups_max
root  open=stat /etc/group
root  open=stat /etc/security/capability.conf
root  open=stat /dev/ptmx
root  open=stat /etc/group
root  open=stat /dev/pts/8
root  open=stat /etc/group
root  open=stat /etc/passwd
root  open=stat /var/log/lastlog
root  open=stat /etc/passwd
root  access=stat /var/run/utmpx
root  open=stat /var/run/utmp
root  access=stat /var/run/utmpx
root  open=stat /var/run/utmp
root  access=stat /var/log/wtmpx
root  open=stat /var/log/wtmp
root  open=stat /var/log/lastlog
root  open=stat /dev/null
ubuntu  open=stat /dev/tty
ubuntu  open=stat /dev/tty
ubuntu  open=stat /dev/pts/8
ubuntu  open=stat /dev/tty
ubuntu  open=stat /etc/motd
ubuntu  openat=stat /proc/2577/fd
ubuntu  openat=stat /proc/2577/fd

这次范围小了很多了,但是看着还是不简单明了,我们联想到CentOS用的是motd,那是否可以grep 一下看看Ubuntu是不是也用到这个文件呢? grep 之后发现了这个文件/run/motd.dynamic,赶紧cat一下发现登录系统现实的信息就是这个文件里面的信息。

Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64)* Documentation:  https://help.ubuntu.com/System information as of Thu Apr 28 14:31:27 UTC 2016System load:  0.06              Processes:           142Usage of /:   88.2% of 7.74GB   Users logged in:     1Memory usage: 40%               IP address for eth0: *.*.*.*Swap usage:   0%=> / is using 88.2% of 7.74GBGraph this data and manage this system at:https://landscape.canonical.com/Get cloud support with Ubuntu Advantage Cloud Guest:http://www.ubuntu.com/business/services/cloud
0 packages can be updated.
0 updates are security updates.
*** System restart required ***
Last login: Thu Apr 28 14:31:28 2016 from *.*.*.*

那还有一个问题,这些系统使用信息肯定都是变化着的,应该得有一个脚本来执行吧,在继续dig,直接将截取的数据全部读出,然后grep motd 看看有什么发现

# sysdig -r sshlogin.scap | grep motd -C 3
2567 14:32:14.453662940 0 sshd (2522) > munmap addr=7F3CEBBFF000 length=4096
2568 14:32:14.453665562 0 sshd (2522) < munmap res=0 vm_size=94184 vm_rss=3508 vm_swap=0
2569 14:32:14.453676315 0 sshd (2522) > open
2570 14:32:14.453679373 0 sshd (2522) < open fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) name=/lib/x86_64-linux-gnu/security/pam_motd.so flags=4097(O_RDONLY|O_CLOEXEC) mode=0
2571 14:32:14.453679998 0 sshd (2522) > read fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) size=832
2572 14:32:14.453681260 0 sshd (2522) < read res=832 data=.ELF..............>.....@.......@........!..........@.8...@.....................
2573 14:32:14.453681858 0 sshd (2522) > fstat fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)
2574 14:32:14.453682473 0 sshd (2522) < fstat res=0
2575 14:32:14.453684015 0 sshd (2522) > mmap addr=0 length=2105552 prot=5(PROT_READ|PROT_EXEC) flags=1026(MAP_PRIVATE|MAP_DENYWRITE) fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) offset=0
2576 14:32:14.453686215 0 sshd (2522) < mmap res=7F3CE5BEE000 vm_size=96244 vm_rss=3508 vm_swap=0
2577 14:32:14.453686548 0 sshd (2522) > mprotect
2578 14:32:14.453690064 0 sshd (2522) < mprotect
2579 14:32:14.453690354 0 sshd (2522) > mmap addr=7F3CE5DEF000 length=8192 prot=3(PROT_READ|PROT_WRITE) flags=1030(MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE) fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) offset=4096
2580 14:32:14.453691950 0 sshd (2522) < mmap res=7F3CE5DEF000 vm_size=96244 vm_rss=3508 vm_swap=0
2581 14:32:14.453697792 0 sshd (2522) > close fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)
2582 14:32:14.453698076 0 sshd (2522) < close res=0
2583 14:32:14.453713939 0 sshd (2522) > mprotect
2584 14:32:14.453715545 0 sshd (2522) < mprotect
--
3639 14:32:15.167518124 0 sshd (2522) > close fd=6
3640 14:32:15.167518479 0 sshd (2522) < close res=0
3641 14:32:15.167522234 0 sshd (2522) > open
3642 14:32:15.167524929 0 sshd (2522) < open fd=5(<f>/run/motd.dynamic) name=/run/motd.dynamic flags=1(O_RDONLY) mode=0
3643 14:32:15.167525595 0 sshd (2522) > fstat fd=5(<f>/run/motd.dynamic)
3644 14:32:15.167526099 0 sshd (2522) < fstat res=0
3645 14:32:15.167527088 0 sshd (2522) > read fd=5(<f>/run/motd.dynamic) size=689
3646 14:32:15.167528549 0 sshd (2522) < read res=689 data=Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64).. * Documenta
3647 14:32:15.167535024 0 sshd (2522) > close fd=5(<f>/run/motd.dynamic)
3648 14:32:15.167535286 0 sshd (2522) < close res=0
3649 14:32:15.167538617 0 sshd (2522) > open
3650 14:32:15.167540301 0 sshd (2522) < open fd=5(<f>/etc/passwd) name=/etc/passwd flags=4097(O_RDONLY|O_CLOEXEC) mode=0
--
3677 14:32:15.167585056 0 sshd (2522) > setfsuid
3678 14:32:15.167585456 0 sshd (2522) < setfsuid
3679 14:32:15.167587108 0 sshd (2522) > stat
3680 14:32:15.167589378 0 sshd (2522) < stat res=0 path=/home/ubuntu/.cache/motd.legal-displayed
3681 14:32:15.167590221 0 sshd (2522) > setfsuid
3682 14:32:15.167590660 0 sshd (2522) < setfsuid
3683 14:32:15.167590896 0 sshd (2522) > setfsuid
--
3689 14:32:15.167592585 0 sshd (2522) > setgroups
3690 14:32:15.167592979 0 sshd (2522) < setgroups
3691 14:32:15.167593583 0 sshd (2522) > stat
3692 14:32:15.167594490 0 sshd (2522) < stat res=0 path=/etc/update-motd.d
3693 14:32:15.167594955 0 sshd (2522) > umask
3694 14:32:15.167595127 0 sshd (2522) < umask
3695 14:32:15.167595807 0 sshd (2522) > rt_sigaction
--
3719 14:32:15.486395463 0 sshd (2522) < rt_sigprocmask
3720 14:32:15.486395830 0 sshd (2522) > signaldeliver spid=2524(sshd) dpid=2522(sshd) sig=17(SIGCHLD)
3721 14:32:15.486397094 0 sshd (2522) > rename
3722 14:32:15.486406310 0 sshd (2522) < rename res=0 oldpath=/run/motd.dynamic.new newpath=/run/motd.dynamic
3723 14:32:15.486407475 0 sshd (2522) > umask
3724 14:32:15.486407696 0 sshd (2522) < umask
3725 14:32:15.486408160 0 sshd (2522) > open
3726 14:32:15.486409719 0 sshd (2522) < open fd=-2(ENOENT) name=/etc/motd flags=1(O_RDONLY) mode=0
3727 14:32:15.486420788 0 sshd (2522) > open
3728 14:32:15.486422469 0 sshd (2522) < open fd=5(<f>/etc/passwd) name=/etc/passwd flags=4097(O_RDONLY|O_CLOEXEC) mode=0
3729 14:32:15.486423926 0 sshd (2522) > lseek fd=5(<f>/etc/passwd) offset=0 whence=1(SEEK_CUR)
--
3755 14:32:15.486459796 0 sshd (2522) > setfsuid
3756 14:32:15.486460106 0 sshd (2522) < setfsuid
3757 14:32:15.486461896 0 sshd (2522) > stat
3758 14:32:15.486464760 0 sshd (2522) < stat res=0 path=/home/ubuntu/.cache/motd.legal-displayed
3759 14:32:15.486465455 0 sshd (2522) > setfsuid
3760 14:32:15.486465892 0 sshd (2522) < setfsuid
3761 14:32:15.486466132 0 sshd (2522) > setfsuid
--
4731 14:32:16.770878160 0 sshd (2577) > write fd=1(<f>/dev/pts/8) size=58
4732 14:32:16.770878954 0 sshd (2577) < write res=58 data=Last login: Thu Apr 28 14:31:28 2016 from 114.248.207.97..
4733 14:32:16.770886266 0 sshd (2577) > open
4734 14:32:16.770888442 0 sshd (2577) < open fd=-2(ENOENT) name=/etc/motd flags=1(O_RDONLY) mode=0
4735 14:32:16.770928234 0 sshd (2577) > getuid
4736 14:32:16.770928930 0 sshd (2577) < getuid uid=1000(ubuntu)
4737 14:32:16.770929589 0 sshd (2577) > geteuid

发现有这一行的event比较诡异,到目录下面看看,果然找到了,登录Ubuntu系统的显示信息的脚本都是此目录下面。

3692 14:32:15.167594490 0 sshd (2522) < stat res=0 path=/etc/update-motd.d
├── 00-header
├── 10-help-text
├── 50-landscape-sysinfo -> /usr/share/landscape/landscape-sysinfo.wrapper
├── 51-cloudguest
├── 90-updates-available
├── 91-release-upgrade
├── 97-overlayroot
├── 98-fsck-at-reboot
└── 98-reboot-required
0 directories, 9 files

欢迎补充!

转载于:https://blog.51cto.com/shanker/1768828

sysdig案例分析 - 哪些文件正在被进程访问相关推荐

  1. Linux之 Shell分析日志文件

    文章目录 前言 1. 查看有多少个IP访问及某一个页面被访问的次数 2.查看每一个IP访问了多少个页面及个IP访问的页面数进行从小到大排序 3.查看某一个IP访问了哪些页面及去掉搜索引擎统计的页面 4 ...

  2. DMS应用性能管理案例分析(一)

    前言 某汽车总部部署的DMS经销商在线系统,最近一段时间运维人员经常接到反馈,DMS使用出现大量访问慢的情况,针对此情况进行监测分析. 汽车总部已部署NetInside流量分析系统,使用流量分析系统提 ...

  3. Java之JVM调优案例分析与实战(5) - 服务器JVM进程奔溃

    环境:一个基于B/S的MIS系统,硬件为2个CPU.8GB内存的HP系统,服务器是WebLogic9.2(就是第二个案例中的那个系统).正常运行一段时间后,最近发现在运行期间频繁出现集群节点的虚拟机进 ...

  4. 大学计算机案例实验教程文件,大学计算机实训及案例分析教程

    目录 前言 第一部分 基本操作及应用 第1章 信息管理及平台操作实验 3 实验1-1-1 文件和文件夹的基本操作 3 实验1-1-2 文件压缩与解压缩 11 实验1-1-3 信息检索与信息管理 14 ...

  5. 服务器里解压缩gz文件夹,Shell命令文件压缩解压缩之gzip、zip的案例分析

    Shell命令文件压缩解压缩之gzip.zip的案例分析 发布时间:2020-11-13 10:32:36 来源:亿速云 阅读:114 作者:小新 小编给大家分享一下Shell命令文件压缩解压缩之gz ...

  6. linux进程文件描述符 vnode,Linux C编程详解:进程原理分析、文件描述符和文件记录表、文件句柄和文件原理...

    一.引言 文件操作是Linux C编程中其中的一项核心技术,实际上也相当重要,这里并不是说狭义上的那种文件操作,它也非常有助于理解和学习Linux系统.为什么这样说呢?因为在Unix/Linux的世界 ...

  7. go实现重新给metric打标签上传到prometheus_案例分析|云原生监控Prometheus对样本rate计算,出现标签重复?...

    0 - 本案例所涉及的知识点 云原生.微服务,带你了解大规模容器下的监控方式,通过各个案例分析,熟悉prometheus的内部原理. 涉及知识点:go prometheus 1 - 案例概要 收到用户 ...

  8. linux 定位 踩内存_运维必备的问题定位工具及案例分析

    [摘要]本文主要介绍各种问题定位的工具,并结合案例分析问题. 1. 背景 有时候会遇到一些疑难杂症,并且监控插件并不能一眼立马发现问题的根源.这时候就需要登录服务器进一步深入分析问题的根源.那么分析问 ...

  9. 第 28 小时项目管理过程实践和案例分析

    第 28 小时项目管理过程实践和案例分析 根据考试大纲,这部分作为下午 考试的内容,共有 3 道大题,每题 25 分,共 75 分,45 分及格.考题形式为"计算+项目管理有关知识" ...

最新文章

  1. win7查看电脑上openCV的版本
  2. Redhat、CentOS进单用户模式进行维护
  3. 辽宁省风力发电行业“十四五”前景规划及竞争策略分析报告2022-2028年版
  4. 如何在Marketing Cloud里创建extension field扩展字
  5. linux7做服务器,centos7 搭建yum服务器
  6. 监督学习 | 线性回归 之正则线性模型原理及Sklearn实现
  7. Codeforces 432D Prefixes and Suffixes(KMP+dp)
  8. TensorFlow神经网络(五)输入手写数字图片进行识别
  9. LeetCode(121)——买卖股票的最佳时机(JavaScript)
  10. mybatis实现模糊查询时%%的处理
  11. jQuery 1.3 API 参考文档中文版
  12. 计算机应用基础10000字论文,计算机(毕业论文)一万字.doc
  13. 怎么将两个PDF合并成一个?这里有三个小妙招分享给你
  14. creo视图管理器使用方法_5.3 视图管理-样式、截面
  15. 微信安装旧版本方法(抓包必备)
  16. WiFi遥控小车(四):简单直流电机驱动及UDP通信程序
  17. 工业机器人视觉功能详解
  18. 基于python实现在线听音乐(QQ音乐)
  19. Debian启动自定义桌面
  20. 202012798范明霞的博客

热门文章

  1. SVM: 支持向量机中的,那个C
  2. 点云处理软件Pointscene
  3. TypeScript--es5中的类,继承,静态方法
  4. 香港一小巴侧翻致1死16伤 警方:未见机件故障
  5. csc.exe已退出,代码为-532462766
  6. 红外摄像机的功率究竟有多大
  7. PHP与C sharp互解加密算法
  8. ADSL MODEM巧设置解决BT、电驴等下载软件掉线问题
  9. Flutter Mac下环境配置
  10. nohup: 无法运行命令 ‘/bin/java‘: 没有那个文件或目录