sysdig案例分析 - 哪些文件正在本进程访问
看到标题,大家可能会说直接用lsof呗,如果是这么简单我还何必写此文呢?某些应用场景下用lsof或者strace分析不出来某个特定进程访问过哪些文件,或者正在访问哪些文件,这时候就是sysdig出场来解决啦。之前的文章介绍过了sysdig的基本语法,今天来说说分析某个进程正在访问的文件都有哪些?抛砖引玉。
比如我们拿登录Ubuntu系统时,显示系统信息这个事情,如果是CentOS系统,很容易就在/etc/motd文件里面显示,但是Ubuntu系统是动态显示的,每次登录系统,都会显示系统负载,CPU, 磁盘使用率等信息:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Thu Apr 28 14:31:27 UTC 2016 System load: 0.06 Processes: 142 Usage of /: 88.2% of 7.74GB Users logged in: 1 Memory usage: 40% IP address for eth0: *.*.*.* Swap usage: 0% => / is using 88.2% of 7.74GB Graph this data and manage this system at: https://landscape.canonical.com/ Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 0 packages can be updated. 0 updates are security updates. *** System restart required *** Last login: Thu Apr 28 14:31:28 2016 from *.*.*.*
比如对这个信息好奇,系统是如何实现的呢?如果用strace来分析的话也不是不行,今天我们就用sysdig来分析一下这个登录过程sshd都调用过哪些函数,访问过哪些脚本来生成了这个开头信息。
首先在第一个shell运行:
sysdig -w sshd.scap
然后在第二个shell中登录当前系统,登陆完成后中断sysdig命令,读取一下看看:
sysdig -pc -A -r sshd.scap
产生的信息如下:
79 14:32:07.130531917 0 host (host) sshd (22765:22765) < select res=1 80 14:32:07.130535457 0 host (host) sshd (22765:22765) > rt_sigprocmask 81 14:32:07.130536595 0 host (host) sshd (22765:22765) < rt_sigprocmask 82 14:32:07.130536896 0 host (host) sshd (22765:22765) > rt_sigprocmask 83 14:32:07.130537157 0 host (host) sshd (22765:22765) < rt_sigprocmask 84 14:32:07.130539435 0 host (host) sshd (22765:22765) > clock_gettime 85 14:32:07.130540163 0 host (host) sshd (22765:22765) < clock_gettime 86 14:32:07.130543216 0 host (host) sshd (22765:22765) > read fd=3(<4t>114.248.207.97:12148->My serverIP:**) size=16384 87 14:32:07.130551426 0 host (host) sshd (22765:22765) < read res=52 data= %v+R%oN<vV74xB2zkX 6 2 88 14:32:07.130565762 0 host (host) sshd (22765:22765) > clock_gettime 89 14:32:07.130566078 0 host (host) sshd (22765:22765) < clock_gettime 90 14:32:07.130567618 0 host (host) sshd (22765:22765) > select 91 14:32:07.130569947 0 host (host) sshd (22765:22765) < select res=1 92 14:32:07.130570300 0 host (host) sshd (22765:22765) > rt_sigprocmask 93 14:32:07.130570536 0 host (host) sshd (22765:22765) < rt_sigprocmask 94 14:32:07.130570785 0 host (host) sshd (22765:22765) > rt_sigprocmask 95 14:32:07.130571005 0 host (host) sshd (22765:22765) < rt_sigprocmask 96 14:32:07.130571285 0 host (host) sshd (22765:22765) > clock_gettime 97 14:32:07.130571553 0 host (host) sshd (22765:22765) < clock_gettime 98 14:32:07.130572239 0 host (host) sshd (22765:22765) > write fd=9(<f>/dev/ptmx) size=1 99 14:32:07.130578512 0 host (host) sshd (22765:22765) < write res=1 data= 100 14:32:07.130579618 0 host (host) sshd (22765:22765) > clock_gettime 101 14:32:07.130579908 0 host (host) sshd (22765:22765) < clock_gettime 102 14:32:07.130580347 0 host (host) sshd (22765:22765) > select 103 14:32:07.130582388 0 host (host) sshd (22765:22765) > switch next=46 pgft_maj=0 pgft_min=303 vm_size=103780 vm_rss=1888 vm_swap=0 104 14:32:07.130592298 0 host (host) sshd (22765:22765) < select res=1 105 14:32:07.130592681 0 host (host) sshd (22765:22765) > rt_sigprocmask 106 14:32:07.130592900 0 host (host) sshd (22765:22765) < rt_sigprocmask 107 14:32:07.130593139 0 host (host) sshd (22765:22765) > rt_sigprocmask 108 14:32:07.130593322 0 host (host) sshd (22765:22765) < rt_sigprocmask 109 14:32:07.130593653 0 host (host) sshd (22765:22765) > clock_gettime 110 14:32:07.130593836 0 host (host) sshd (22765:22765) < clock_gettime 111 14:32:07.130594664 0 host (host) sshd (22765:22765) > read fd=11(<f>/dev/ptmx) size=16384 112 14:32:07.130596295 0 host (host) sshd (22765:22765) < read res=2 data=
用strace -e read跟踪一下的结果如下,发现根本没法判断是读取的那个文件,只是一堆系统调用。
Warning: Permanently added '[52.192.*.*]:ssh port' (RSA) to the list of known hosts. read(3, "\226f\27H|\304%\247\203\326z\243\345\361\21\350 \24\2669\365\334]g\361kj\300\347\215\361\247"..., 8192) = 48 read(3, "\235r\257P\217\274^\303\262\314\352\315\376\17\214\317\373\202\373\314\220d\223\276\344\35\271s\1\305\35\372"..., 8192) = 48 read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 1675 read(3, "\204\357\350\362\362\0312\377\344\335\312\333\220\237Z_Z\367H\312\1\r\242\322\300:\243\350\275 =\22", 8192) = 32 read(3, "\333\f\277\212\342\342\264n?,N\324'\255 Q\243wY[\224\17WVzM\200]X\23\354)"..., 8192) = 48 read(3, "\360\336\244\3112\372\314\327\317\27>\21\335\204\36368u\227n\370n4C!W\360\4i~n\305"..., 8192) = 112 read(3, "\177\204^x\v8n\322\300\17\3579\344\353\nv[\301a\7\3}\240dS\36\310\216P\23\276\351"..., 8192) = 816 Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Fri Apr 29 08:18:15 UTC 2016 System load: 0.0 Processes: 138 Usage of /: 88.5% of 7.74GB Users logged in: 1 Memory usage: 38% IP address for eth0: *.*.*.* Swap usage: 0%
sysdig抓取了5256个登录过程中的系统调用,显然我们没时间去一行一行地分析。
下面想一下,既然是显示到终端上的,那事件应该是读取了某个文件吧,试试这样呢?
# sysdig -r sshlogin.scap -p "%user.name %evt.type=stat %evt.arg.name" proc.name=sshd ser.name vt.type=stat vt.arg.name" proc.name=sshd root open=stat /proc/self/oom_score_adj root access=stat /etc/ld.so.nohwcap root access=stat /etc/ld.so.preload root open=stat /etc/ld.so.cache root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libwrap.so.0 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libaudit.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libpam.so.0 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libselinux.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /usr/lib/x86_64-linux-gnu/libck-connector.so.0 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libdbus-1.so.3 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libutil.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libz.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libcrypt.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 root access=stat /etc/ld.so.nohwcap root open=stat /usr/lib/x86_64-linux-gnu/libkrb5.so.3 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libcom_err.so.2 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libc.so.6 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libnsl.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libdl.so.2 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libpcre.so.3 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libpthread.so.0 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/librt.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 root access=stat /etc/ld.so.nohwcap root open=stat /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libkeyutils.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libresolv.so.2 root open=stat /proc/filesystems root open=stat /dev/null root openat=stat /proc/2522/fd root open=stat /usr/lib/ssl/openssl.cnf root open=stat /dev/urandom root open=stat /etc/gai.conf root open=stat /etc/nsswitch.conf root open=stat /etc/ld.so.cache root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libnss_compat.so.2 root open=stat /etc/ld.so.cache root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libnss_nis.so.2 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libnss_files.so.2 root open=stat /etc/passwd root open=stat /etc/ssh/ssh_host_rsa_key root open=stat /etc/ssh/ssh_host_rsa_key root open=stat /etc/ssh/ssh_host_rsa_key root open=stat /etc/ssh/ssh_host_rsa_key root open=stat /etc/ssh/ssh_host_rsa_key.pub root open=stat /etc/ssh/ssh_host_dsa_key root open=stat /etc/ssh/ssh_host_dsa_key root open=stat /etc/ssh/ssh_host_dsa_key root open=stat /etc/ssh/ssh_host_dsa_key root open=stat /etc/ssh/ssh_host_dsa_key.pub root open=stat /etc/ssh/ssh_host_ecdsa_key root open=stat /etc/ssh/ssh_host_ecdsa_key root open=stat /etc/ssh/ssh_host_ecdsa_key root open=stat /etc/ssh/ssh_host_ecdsa_key root open=stat /etc/ssh/ssh_host_ecdsa_key.pub root open=stat /etc/ssh/ssh_host_ed25519_key root open=stat /etc/ssh/ssh_host_ed25519_key root open=stat /etc/ssh/ssh_host_ed25519_key root open=stat /etc/ssh/ssh_host_ed25519_key root open=stat /etc/ssh/ssh_host_ed25519_key.pub root open=stat /dev/null root open=stat /etc/ld.so.cache root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/tls/x86_64/libnss_db.so.2 root open=stat /lib/x86_64-linux-gnu/tls/libnss_db.so.2 root open=stat /lib/x86_64-linux-gnu/x86_64/libnss_db.so.2 root open=stat /lib/x86_64-linux-gnu/libnss_db.so.2 root open=stat /usr/lib/x86_64-linux-gnu/tls/x86_64/libnss_db.so.2 root open=stat /usr/lib/x86_64-linux-gnu/tls/libnss_db.so.2 root open=stat /usr/lib/x86_64-linux-gnu/x86_64/libnss_db.so.2 root open=stat /usr/lib/x86_64-linux-gnu/libnss_db.so.2 root open=stat /lib/tls/x86_64/libnss_db.so.2 root open=stat /lib/tls/libnss_db.so.2 root open=stat /lib/x86_64/libnss_db.so.2 root open=stat /lib/libnss_db.so.2 root open=stat /usr/lib/tls/x86_64/libnss_db.so.2 root open=stat /usr/lib/tls/libnss_db.so.2 root open=stat /usr/lib/x86_64/libnss_db.so.2 root open=stat /usr/lib/libnss_db.so.2 root open=stat /etc/protocols root open=stat /etc/hosts.allow root open=stat /etc/hosts.deny root open=stat /etc/passwd root open=stat /etc/pam.d/sshd root open=stat /etc/pam.d/common-auth root open=stat /lib/x86_64-linux-gnu/security/pam_unix.so root open=stat /lib/x86_64-linux-gnu/security/pam_deny.so root open=stat /lib/x86_64-linux-gnu/security/pam_permit.so root open=stat /lib/x86_64-linux-gnu/security/pam_cap.so root open=stat /etc/ld.so.cache root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libcap.so.2 root open=stat /lib/x86_64-linux-gnu/security/pam_nologin.so root open=stat /etc/pam.d/common-account root open=stat /lib/x86_64-linux-gnu/security/pam_selinux.so root open=stat /lib/x86_64-linux-gnu/security/pam_loginuid.so root open=stat /lib/x86_64-linux-gnu/security/pam_keyinit.so root open=stat /etc/pam.d/common-session root open=stat /lib/x86_64-linux-gnu/security/pam_umask.so root open=stat /lib/x86_64-linux-gnu/security/pam_systemd.so root open=stat /etc/ld.so.cache root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libcgmanager.so.0 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libnih.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libnih-dbus.so.1 root access=stat /etc/ld.so.nohwcap root open=stat /lib/x86_64-linux-gnu/libpam_misc.so.0 root open=stat /lib/x86_64-linux-gnu/security/pam_motd.so root open=stat /lib/x86_64-linux-gnu/security/pam_mail.so root open=stat /lib/x86_64-linux-gnu/security/pam_limits.so root open=stat /lib/x86_64-linux-gnu/security/pam_env.so root open=stat /etc/pam.d/common-password root open=stat /etc/pam.d/other root open=stat /etc/pam.d/common-auth root open=stat /etc/pam.d/common-account root open=stat /etc/pam.d/common-password root open=stat /etc/pam.d/common-session root open=stat /proc/sys/kernel/ngroups_max root open=stat /etc/group ubuntu open=stat /home/ubuntu/.ssh/authorized_keys ubuntu open=stat /home/ubuntu/.ssh/authorized_keys root open=stat /var/run/nologin root open=stat /etc/nologin root open=stat /etc/login.defs root open=stat /etc/passwd root open=stat /etc/shadow root open=stat /etc/localtime root open=stat /etc/security/capability.conf root open=stat /etc/passwd root open=stat /proc/self/uid_map root open=stat /proc/self/loginuid root open=stat /etc/passwd root open=stat /etc/login.defs root open=stat /etc/login.defs root open=stat /etc/passwd root open=stat /etc/group root open=stat /etc/login.defs root access=stat /var/run/utmpx root open=stat /var/run/utmp root access=stat /proc/vz root open=stat /proc/1/environ root open=stat /proc/self/loginuid root open=stat /etc/passwd root open=stat /run/motd.dynamic root open=stat /etc/passwd root open=stat /etc/motd root open=stat /etc/passwd root open=stat /etc/passwd root open=stat /etc/passwd root open=stat /proc/1/limits root open=stat /etc/security/limits.conf root openat=stat /etc/security/limits.d root open=stat /etc/security/pam_env.conf root open=stat /etc/environment root open=stat /etc/security/pam_env.conf root open=stat /etc/default/locale root open=stat /etc/passwd root open=stat /proc/sys/kernel/ngroups_max root open=stat /etc/group root open=stat /etc/security/capability.conf root open=stat /dev/ptmx root open=stat /etc/group root open=stat /dev/pts/8 root open=stat /etc/group root open=stat /etc/passwd root open=stat /var/log/lastlog root open=stat /etc/passwd root access=stat /var/run/utmpx root open=stat /var/run/utmp root access=stat /var/run/utmpx root open=stat /var/run/utmp root access=stat /var/log/wtmpx root open=stat /var/log/wtmp root open=stat /var/log/lastlog root open=stat /dev/null ubuntu open=stat /dev/tty ubuntu open=stat /dev/tty ubuntu open=stat /dev/pts/8 ubuntu open=stat /dev/tty ubuntu open=stat /etc/motd ubuntu openat=stat /proc/2577/fd ubuntu openat=stat /proc/2577/fd
这次范围小了很多了,但是看着还是不简单明了,我们联想到CentOS用的是motd,那是否可以grep 一下看看Ubuntu是不是也用到这个文件呢? grep 之后发现了这个文件/run/motd.dynamic,赶紧cat一下发现登录系统现实的信息就是这个文件里面的信息。
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Thu Apr 28 14:31:27 UTC 2016 System load: 0.06 Processes: 142 Usage of /: 88.2% of 7.74GB Users logged in: 1 Memory usage: 40% IP address for eth0: *.*.*.* Swap usage: 0% => / is using 88.2% of 7.74GB Graph this data and manage this system at: https://landscape.canonical.com/ Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 0 packages can be updated. 0 updates are security updates. *** System restart required *** Last login: Thu Apr 28 14:31:28 2016 from *.*.*.*
那还有一个问题,这些系统使用信息肯定都是变化着的,应该得有一个脚本来执行吧,在继续dig,直接将截取的数据全部读出,然后grep motd 看看有什么发现
# sysdig -r sshlogin.scap | grep motd -C 3 2567 14:32:14.453662940 0 sshd (2522) > munmap addr=7F3CEBBFF000 length=4096 2568 14:32:14.453665562 0 sshd (2522) < munmap res=0 vm_size=94184 vm_rss=3508 vm_swap=0 2569 14:32:14.453676315 0 sshd (2522) > open 2570 14:32:14.453679373 0 sshd (2522) < open fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) name=/lib/x86_64-linux-gnu/security/pam_motd.so flags=4097(O_RDONLY|O_CLOEXEC) mode=0 2571 14:32:14.453679998 0 sshd (2522) > read fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) size=832 2572 14:32:14.453681260 0 sshd (2522) < read res=832 data=.ELF..............>.....@.......@[email protected]...@..................... 2573 14:32:14.453681858 0 sshd (2522) > fstat fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) 2574 14:32:14.453682473 0 sshd (2522) < fstat res=0 2575 14:32:14.453684015 0 sshd (2522) > mmap addr=0 length=2105552 prot=5(PROT_READ|PROT_EXEC) flags=1026(MAP_PRIVATE|MAP_DENYWRITE) fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) offset=0 2576 14:32:14.453686215 0 sshd (2522) < mmap res=7F3CE5BEE000 vm_size=96244 vm_rss=3508 vm_swap=0 2577 14:32:14.453686548 0 sshd (2522) > mprotect 2578 14:32:14.453690064 0 sshd (2522) < mprotect 2579 14:32:14.453690354 0 sshd (2522) > mmap addr=7F3CE5DEF000 length=8192 prot=3(PROT_READ|PROT_WRITE) flags=1030(MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE) fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) offset=4096 2580 14:32:14.453691950 0 sshd (2522) < mmap res=7F3CE5DEF000 vm_size=96244 vm_rss=3508 vm_swap=0 2581 14:32:14.453697792 0 sshd (2522) > close fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so) 2582 14:32:14.453698076 0 sshd (2522) < close res=0 2583 14:32:14.453713939 0 sshd (2522) > mprotect 2584 14:32:14.453715545 0 sshd (2522) < mprotect -- 3639 14:32:15.167518124 0 sshd (2522) > close fd=6 3640 14:32:15.167518479 0 sshd (2522) < close res=0 3641 14:32:15.167522234 0 sshd (2522) > open 3642 14:32:15.167524929 0 sshd (2522) < open fd=5(<f>/run/motd.dynamic) name=/run/motd.dynamic flags=1(O_RDONLY) mode=0 3643 14:32:15.167525595 0 sshd (2522) > fstat fd=5(<f>/run/motd.dynamic) 3644 14:32:15.167526099 0 sshd (2522) < fstat res=0 3645 14:32:15.167527088 0 sshd (2522) > read fd=5(<f>/run/motd.dynamic) size=689 3646 14:32:15.167528549 0 sshd (2522) < read res=689 data=Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64).. * Documenta 3647 14:32:15.167535024 0 sshd (2522) > close fd=5(<f>/run/motd.dynamic) 3648 14:32:15.167535286 0 sshd (2522) < close res=0 3649 14:32:15.167538617 0 sshd (2522) > open 3650 14:32:15.167540301 0 sshd (2522) < open fd=5(<f>/etc/passwd) name=/etc/passwd flags=4097(O_RDONLY|O_CLOEXEC) mode=0 -- 3677 14:32:15.167585056 0 sshd (2522) > setfsuid 3678 14:32:15.167585456 0 sshd (2522) < setfsuid 3679 14:32:15.167587108 0 sshd (2522) > stat 3680 14:32:15.167589378 0 sshd (2522) < stat res=0 path=/home/ubuntu/.cache/motd.legal-displayed 3681 14:32:15.167590221 0 sshd (2522) > setfsuid 3682 14:32:15.167590660 0 sshd (2522) < setfsuid 3683 14:32:15.167590896 0 sshd (2522) > setfsuid -- 3689 14:32:15.167592585 0 sshd (2522) > setgroups 3690 14:32:15.167592979 0 sshd (2522) < setgroups 3691 14:32:15.167593583 0 sshd (2522) > stat 3692 14:32:15.167594490 0 sshd (2522) < stat res=0 path=/etc/update-motd.d 3693 14:32:15.167594955 0 sshd (2522) > umask 3694 14:32:15.167595127 0 sshd (2522) < umask 3695 14:32:15.167595807 0 sshd (2522) > rt_sigaction -- 3719 14:32:15.486395463 0 sshd (2522) < rt_sigprocmask 3720 14:32:15.486395830 0 sshd (2522) > signaldeliver spid=2524(sshd) dpid=2522(sshd) sig=17(SIGCHLD) 3721 14:32:15.486397094 0 sshd (2522) > rename 3722 14:32:15.486406310 0 sshd (2522) < rename res=0 oldpath=/run/motd.dynamic.new newpath=/run/motd.dynamic 3723 14:32:15.486407475 0 sshd (2522) > umask 3724 14:32:15.486407696 0 sshd (2522) < umask 3725 14:32:15.486408160 0 sshd (2522) > open 3726 14:32:15.486409719 0 sshd (2522) < open fd=-2(ENOENT) name=/etc/motd flags=1(O_RDONLY) mode=0 3727 14:32:15.486420788 0 sshd (2522) > open 3728 14:32:15.486422469 0 sshd (2522) < open fd=5(<f>/etc/passwd) name=/etc/passwd flags=4097(O_RDONLY|O_CLOEXEC) mode=0 3729 14:32:15.486423926 0 sshd (2522) > lseek fd=5(<f>/etc/passwd) offset=0 whence=1(SEEK_CUR) -- 3755 14:32:15.486459796 0 sshd (2522) > setfsuid 3756 14:32:15.486460106 0 sshd (2522) < setfsuid 3757 14:32:15.486461896 0 sshd (2522) > stat 3758 14:32:15.486464760 0 sshd (2522) < stat res=0 path=/home/ubuntu/.cache/motd.legal-displayed 3759 14:32:15.486465455 0 sshd (2522) > setfsuid 3760 14:32:15.486465892 0 sshd (2522) < setfsuid 3761 14:32:15.486466132 0 sshd (2522) > setfsuid -- 4731 14:32:16.770878160 0 sshd (2577) > write fd=1(<f>/dev/pts/8) size=58 4732 14:32:16.770878954 0 sshd (2577) < write res=58 data=Last login: Thu Apr 28 14:31:28 2016 from 114.248.207.97.. 4733 14:32:16.770886266 0 sshd (2577) > open 4734 14:32:16.770888442 0 sshd (2577) < open fd=-2(ENOENT) name=/etc/motd flags=1(O_RDONLY) mode=0 4735 14:32:16.770928234 0 sshd (2577) > getuid 4736 14:32:16.770928930 0 sshd (2577) < getuid uid=1000(ubuntu) 4737 14:32:16.770929589 0 sshd (2577) > geteuid
发现有这一行的event比较诡异,到目录下面看看,果然找到了,登录Ubuntu系统的显示信息的脚本都是此目录下面。
3692 14:32:15.167594490 0 sshd (2522) < stat res=0 path=/etc/update-motd.d
├── 00-header ├── 10-help-text ├── 50-landscape-sysinfo -> /usr/share/landscape/landscape-sysinfo.wrapper ├── 51-cloudguest ├── 90-updates-available ├── 91-release-upgrade ├── 97-overlayroot ├── 98-fsck-at-reboot └── 98-reboot-required 0 directories, 9 files
欢迎补充!