看到標題，大家可能會說直接用lsof唄，如果是這么簡單我還何必寫此文呢？某些應用場景下用lsof或者strace分析不出來某個特定進程訪問過哪些文件，或者正在訪問哪些文件，這時候就是sysdig出場來解決啦。之前的文章介紹過了sysdig的基本語法，今天來說說分析某個進程正在訪問的文件都有哪些？拋磚引玉。

比如我們拿登錄Ubuntu系統時，顯示系統信息這個事情，如果是CentOS系統，很容易就在/etc/motd文件里面顯示，但是Ubuntu系統是動態顯示的，每次登錄系統，都會顯示系統負載，CPU， 磁盤使用率等信息：

Welcome?to?Ubuntu?14.04.4?LTS?(GNU/Linux?3.13.0-83-generic?x86_64)*?Documentation:??https://help.ubuntu.com/System?information?as?of?Thu?Apr?28?14:31:27?UTC?2016System?load:??0.06??????????????Processes:???????????142Usage?of?/:???88.2%?of?7.74GB???Users?logged?in:?????1Memory?usage:?40%???????????????IP?address?for?eth0:?*.*.*.*Swap?usage:???0%=>?/?is?using?88.2%?of?7.74GBGraph?this?data?and?manage?this?system?at:https://landscape.canonical.com/Get?cloud?support?with?Ubuntu?Advantage?Cloud?Guest:http://www.ubuntu.com/business/services/cloud 0?packages?can?be?updated. 0?updates?are?security?updates. ***?System?restart?required?*** Last?login:?Thu?Apr?28?14:31:28?2016?from?*.*.*.*

比如對這個信息好奇，系統是如何實現的呢？如果用strace來分析的話也不是不行，今天我們就用sysdig來分析一下這個登錄過程sshd都調用過哪些函數，訪問過哪些腳本來生成了這個開頭信息。

首先在第一個shell運行：

sysdig?-w?sshd.scap

然后在第二個shell中登錄當前系統，登陸完成后中斷sysdig命令，讀取一下看看：

sysdig?-pc?-A?-r?sshd.scap

產生的信息如下：

79?14:32:07.130531917?0?host?(host)?sshd?(22765:22765)?<?select?res=1? 80?14:32:07.130535457?0?host?(host)?sshd?(22765:22765)?>?rt_sigprocmask? 81?14:32:07.130536595?0?host?(host)?sshd?(22765:22765)?<?rt_sigprocmask? 82?14:32:07.130536896?0?host?(host)?sshd?(22765:22765)?>?rt_sigprocmask? 83?14:32:07.130537157?0?host?(host)?sshd?(22765:22765)?<?rt_sigprocmask? 84?14:32:07.130539435?0?host?(host)?sshd?(22765:22765)?>?clock_gettime? 85?14:32:07.130540163?0?host?(host)?sshd?(22765:22765)?<?clock_gettime? 86?14:32:07.130543216?0?host?(host)?sshd?(22765:22765)?>?read?fd=3(<4t>114.248.207.97:12148->My?serverIP:**)?size=16384? 87?14:32:07.130551426?0?host?(host)?sshd?(22765:22765)?<?read?res=52?data= %v+R%oN<vV74xB2zkX 6 2? 88?14:32:07.130565762?0?host?(host)?sshd?(22765:22765)?>?clock_gettime? 89?14:32:07.130566078?0?host?(host)?sshd?(22765:22765)?<?clock_gettime? 90?14:32:07.130567618?0?host?(host)?sshd?(22765:22765)?>?select? 91?14:32:07.130569947?0?host?(host)?sshd?(22765:22765)?<?select?res=1? 92?14:32:07.130570300?0?host?(host)?sshd?(22765:22765)?>?rt_sigprocmask? 93?14:32:07.130570536?0?host?(host)?sshd?(22765:22765)?<?rt_sigprocmask? 94?14:32:07.130570785?0?host?(host)?sshd?(22765:22765)?>?rt_sigprocmask? 95?14:32:07.130571005?0?host?(host)?sshd?(22765:22765)?<?rt_sigprocmask? 96?14:32:07.130571285?0?host?(host)?sshd?(22765:22765)?>?clock_gettime? 97?14:32:07.130571553?0?host?(host)?sshd?(22765:22765)?<?clock_gettime? 98?14:32:07.130572239?0?host?(host)?sshd?(22765:22765)?>?write?fd=9(<f>/dev/ptmx)?size=1? 99?14:32:07.130578512?0?host?(host)?sshd?(22765:22765)?<?write?res=1?data=100?14:32:07.130579618?0?host?(host)?sshd?(22765:22765)?>?clock_gettime? 101?14:32:07.130579908?0?host?(host)?sshd?(22765:22765)?<?clock_gettime? 102?14:32:07.130580347?0?host?(host)?sshd?(22765:22765)?>?select? 103?14:32:07.130582388?0?host?(host)?sshd?(22765:22765)?>?switch?next=46?pgft_maj=0?pgft_min=303?vm_size=103780?vm_rss=1888?vm_swap=0? 104?14:32:07.130592298?0?host?(host)?sshd?(22765:22765)?<?select?res=1? 105?14:32:07.130592681?0?host?(host)?sshd?(22765:22765)?>?rt_sigprocmask? 106?14:32:07.130592900?0?host?(host)?sshd?(22765:22765)?<?rt_sigprocmask? 107?14:32:07.130593139?0?host?(host)?sshd?(22765:22765)?>?rt_sigprocmask? 108?14:32:07.130593322?0?host?(host)?sshd?(22765:22765)?<?rt_sigprocmask? 109?14:32:07.130593653?0?host?(host)?sshd?(22765:22765)?>?clock_gettime? 110?14:32:07.130593836?0?host?(host)?sshd?(22765:22765)?<?clock_gettime? 111?14:32:07.130594664?0?host?(host)?sshd?(22765:22765)?>?read?fd=11(<f>/dev/ptmx)?size=16384? 112?14:32:07.130596295?0?host?(host)?sshd?(22765:22765)?<?read?res=2?data=

用strace -e read跟蹤一下的結果如下，發現根本沒法判斷是讀取的那個文件，只是一堆系統調用。

Warning:?Permanently?added?'[52.192.*.*]:ssh?port'?(RSA)?to?the?list?of?known?hosts. read(3,?"\226f\27H|\304%\247\203\326z\243\345\361\21\350?\24\2669\365\334]g\361kj\300\347\215\361\247"...,?8192)?=?48 read(3,?"\235r\257P\217\274^\303\262\314\352\315\376\17\214\317\373\202\373\314\220d\223\276\344\35\271s\1\305\35\372"...,?8192)?=?48 read(4,?"-----BEGIN?RSA?PRIVATE?KEY-----\n"...,?4096)?=?1675 read(3,?"\204\357\350\362\362\0312\377\344\335\312\333\220\237Z_Z\367H\312\1\r\242\322\300:\243\350\275?=\22",?8192)?=?32 read(3,?"\333\f\277\212\342\342\264n?,N\324'\255?Q\243wY[\224\17WVzM\200]X\23\354)"...,?8192)?=?48read(3,?"\360\336\244\3112\372\314\327\317\27>\21\335\204\36368u\227n\370n4C!W\360\4i~n\305"...,?8192)?=?112read(3,?"\177\204^x\v8n\322\300\17\3579\344\353\nv[\301a\7\3}\240dS\36\310\216P\23\276\351"...,?8192)?=?816Welcome?to?Ubuntu?14.04.4?LTS?(GNU/Linux?3.13.0-83-generic?x86_64)*?Documentation:??https://help.ubuntu.com/System?information?as?of?Fri?Apr?29?08:18:15?UTC?2016System?load:??0.0???????????????Processes:???????????138Usage?of?/:???88.5%?of?7.74GB???Users?logged?in:?????1Memory?usage:?38%???????????????IP?address?for?eth0:?*.*.*.*Swap?usage:???0%

sysdig抓取了5256個登錄過程中的系統調用，顯然我們沒時間去一行一行地分析。

下面想一下，既然是顯示到終端上的，那事件應該是讀取了某個文件吧，試試這樣呢？

#?sysdig?-r?sshlogin.scap?-p???"%user.name??%evt.type=stat?%evt.arg.name"?proc.name=sshd? ser.name??vt.type=stat?vt.arg.name"?proc.name=sshd?root??open=stat?/proc/self/oom_score_adj root??access=stat?/etc/ld.so.nohwcap root??access=stat?/etc/ld.so.preload root??open=stat?/etc/ld.so.cache root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libwrap.so.0 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libaudit.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libpam.so.0 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libselinux.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/usr/lib/x86_64-linux-gnu/libck-connector.so.0 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libdbus-1.so.3 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libutil.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libz.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libcrypt.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/usr/lib/x86_64-linux-gnu/libkrb5.so.3 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libcom_err.so.2 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libc.so.6 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libnsl.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libdl.so.2 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libpcre.so.3 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libpthread.so.0 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/librt.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/usr/lib/x86_64-linux-gnu/libk5crypto.so.3 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/usr/lib/x86_64-linux-gnu/libkrb5support.so.0 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libkeyutils.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libresolv.so.2 root??open=stat?/proc/filesystems root??open=stat?/dev/null root??openat=stat?/proc/2522/fd root??open=stat?/usr/lib/ssl/openssl.cnf root??open=stat?/dev/urandom root??open=stat?/etc/gai.conf root??open=stat?/etc/nsswitch.conf root??open=stat?/etc/ld.so.cache root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libnss_compat.so.2 root??open=stat?/etc/ld.so.cache root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libnss_nis.so.2 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libnss_files.so.2 root??open=stat?/etc/passwd root??open=stat?/etc/ssh/ssh_host_rsa_key root??open=stat?/etc/ssh/ssh_host_rsa_key root??open=stat?/etc/ssh/ssh_host_rsa_key root??open=stat?/etc/ssh/ssh_host_rsa_key root??open=stat?/etc/ssh/ssh_host_rsa_key.pub root??open=stat?/etc/ssh/ssh_host_dsa_key root??open=stat?/etc/ssh/ssh_host_dsa_key root??open=stat?/etc/ssh/ssh_host_dsa_key root??open=stat?/etc/ssh/ssh_host_dsa_key root??open=stat?/etc/ssh/ssh_host_dsa_key.pub root??open=stat?/etc/ssh/ssh_host_ecdsa_key root??open=stat?/etc/ssh/ssh_host_ecdsa_key root??open=stat?/etc/ssh/ssh_host_ecdsa_key root??open=stat?/etc/ssh/ssh_host_ecdsa_key root??open=stat?/etc/ssh/ssh_host_ecdsa_key.pub root??open=stat?/etc/ssh/ssh_host_ed25519_key root??open=stat?/etc/ssh/ssh_host_ed25519_key root??open=stat?/etc/ssh/ssh_host_ed25519_key root??open=stat?/etc/ssh/ssh_host_ed25519_key root??open=stat?/etc/ssh/ssh_host_ed25519_key.pub root??open=stat?/dev/null root??open=stat?/etc/ld.so.cache root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/tls/x86_64/libnss_db.so.2 root??open=stat?/lib/x86_64-linux-gnu/tls/libnss_db.so.2 root??open=stat?/lib/x86_64-linux-gnu/x86_64/libnss_db.so.2 root??open=stat?/lib/x86_64-linux-gnu/libnss_db.so.2 root??open=stat?/usr/lib/x86_64-linux-gnu/tls/x86_64/libnss_db.so.2 root??open=stat?/usr/lib/x86_64-linux-gnu/tls/libnss_db.so.2 root??open=stat?/usr/lib/x86_64-linux-gnu/x86_64/libnss_db.so.2 root??open=stat?/usr/lib/x86_64-linux-gnu/libnss_db.so.2 root??open=stat?/lib/tls/x86_64/libnss_db.so.2 root??open=stat?/lib/tls/libnss_db.so.2 root??open=stat?/lib/x86_64/libnss_db.so.2 root??open=stat?/lib/libnss_db.so.2 root??open=stat?/usr/lib/tls/x86_64/libnss_db.so.2 root??open=stat?/usr/lib/tls/libnss_db.so.2 root??open=stat?/usr/lib/x86_64/libnss_db.so.2 root??open=stat?/usr/lib/libnss_db.so.2 root??open=stat?/etc/protocols root??open=stat?/etc/hosts.allow root??open=stat?/etc/hosts.deny root??open=stat?/etc/passwd root??open=stat?/etc/pam.d/sshd root??open=stat?/etc/pam.d/common-auth root??open=stat?/lib/x86_64-linux-gnu/security/pam_unix.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_deny.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_permit.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_cap.so root??open=stat?/etc/ld.so.cache root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libcap.so.2 root??open=stat?/lib/x86_64-linux-gnu/security/pam_nologin.so root??open=stat?/etc/pam.d/common-account root??open=stat?/lib/x86_64-linux-gnu/security/pam_selinux.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_loginuid.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_keyinit.so root??open=stat?/etc/pam.d/common-session root??open=stat?/lib/x86_64-linux-gnu/security/pam_umask.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_systemd.so root??open=stat?/etc/ld.so.cache root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libcgmanager.so.0 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libnih.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libnih-dbus.so.1 root??access=stat?/etc/ld.so.nohwcap root??open=stat?/lib/x86_64-linux-gnu/libpam_misc.so.0 root??open=stat?/lib/x86_64-linux-gnu/security/pam_motd.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_mail.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_limits.so root??open=stat?/lib/x86_64-linux-gnu/security/pam_env.so root??open=stat?/etc/pam.d/common-password root??open=stat?/etc/pam.d/other root??open=stat?/etc/pam.d/common-auth root??open=stat?/etc/pam.d/common-account root??open=stat?/etc/pam.d/common-password root??open=stat?/etc/pam.d/common-session root??open=stat?/proc/sys/kernel/ngroups_max root??open=stat?/etc/group ubuntu??open=stat?/home/ubuntu/.ssh/authorized_keys ubuntu??open=stat?/home/ubuntu/.ssh/authorized_keys root??open=stat?/var/run/nologin root??open=stat?/etc/nologin root??open=stat?/etc/login.defs root??open=stat?/etc/passwd root??open=stat?/etc/shadow root??open=stat?/etc/localtime root??open=stat?/etc/security/capability.conf root??open=stat?/etc/passwd root??open=stat?/proc/self/uid_map root??open=stat?/proc/self/loginuid root??open=stat?/etc/passwd root??open=stat?/etc/login.defs root??open=stat?/etc/login.defs root??open=stat?/etc/passwd root??open=stat?/etc/group root??open=stat?/etc/login.defs root??access=stat?/var/run/utmpx root??open=stat?/var/run/utmp root??access=stat?/proc/vz root??open=stat?/proc/1/environ root??open=stat?/proc/self/loginuid root??open=stat?/etc/passwd root??open=stat?/run/motd.dynamic root??open=stat?/etc/passwd root??open=stat?/etc/motd root??open=stat?/etc/passwd root??open=stat?/etc/passwd root??open=stat?/etc/passwd root??open=stat?/proc/1/limits root??open=stat?/etc/security/limits.conf root??openat=stat?/etc/security/limits.d root??open=stat?/etc/security/pam_env.conf root??open=stat?/etc/environment root??open=stat?/etc/security/pam_env.conf root??open=stat?/etc/default/locale root??open=stat?/etc/passwd root??open=stat?/proc/sys/kernel/ngroups_max root??open=stat?/etc/group root??open=stat?/etc/security/capability.conf root??open=stat?/dev/ptmx root??open=stat?/etc/group root??open=stat?/dev/pts/8 root??open=stat?/etc/group root??open=stat?/etc/passwd root??open=stat?/var/log/lastlog root??open=stat?/etc/passwd root??access=stat?/var/run/utmpx root??open=stat?/var/run/utmp root??access=stat?/var/run/utmpx root??open=stat?/var/run/utmp root??access=stat?/var/log/wtmpx root??open=stat?/var/log/wtmp root??open=stat?/var/log/lastlog root??open=stat?/dev/null ubuntu??open=stat?/dev/tty ubuntu??open=stat?/dev/tty ubuntu??open=stat?/dev/pts/8 ubuntu??open=stat?/dev/tty ubuntu??open=stat?/etc/motd ubuntu??openat=stat?/proc/2577/fd ubuntu??openat=stat?/proc/2577/fd

這次范圍小了很多了，但是看著還是不簡單明了，我們聯想到CentOS用的是motd,那是否可以grep 一下看看Ubuntu是不是也用到這個文件呢？ grep 之后發現了這個文件/run/motd.dynamic，趕緊cat一下發現登錄系統現實的信息就是這個文件里面的信息。

Welcome?to?Ubuntu?14.04.4?LTS?(GNU/Linux?3.13.0-83-generic?x86_64)*?Documentation:??https://help.ubuntu.com/System?information?as?of?Thu?Apr?28?14:31:27?UTC?2016System?load:??0.06??????????????Processes:???????????142Usage?of?/:???88.2%?of?7.74GB???Users?logged?in:?????1Memory?usage:?40%???????????????IP?address?for?eth0:?*.*.*.*Swap?usage:???0%=>?/?is?using?88.2%?of?7.74GBGraph?this?data?and?manage?this?system?at:https://landscape.canonical.com/Get?cloud?support?with?Ubuntu?Advantage?Cloud?Guest:http://www.ubuntu.com/business/services/cloud 0?packages?can?be?updated. 0?updates?are?security?updates. ***?System?restart?required?*** Last?login:?Thu?Apr?28?14:31:28?2016?from?*.*.*.*

那還有一個問題，這些系統使用信息肯定都是變化著的，應該得有一個腳本來執行吧，在繼續dig,直接將截取的數據全部讀出，然后grep motd 看看有什么發現

#?sysdig?-r?sshlogin.scap?|?grep?motd?-C?3 2567?14:32:14.453662940?0?sshd?(2522)?>?munmap?addr=7F3CEBBFF000?length=4096? 2568?14:32:14.453665562?0?sshd?(2522)?<?munmap?res=0?vm_size=94184?vm_rss=3508?vm_swap=0? 2569?14:32:14.453676315?0?sshd?(2522)?>?open? 2570?14:32:14.453679373?0?sshd?(2522)?<?open?fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)?name=/lib/x86_64-linux-gnu/security/pam_motd.so?flags=4097(O_RDONLY|O_CLOEXEC)?mode=0? 2571?14:32:14.453679998?0?sshd?(2522)?>?read?fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)?size=832? 2572?14:32:14.453681260?0?sshd?(2522)?<?read?res=832?data=.ELF..............>.....@.......@........!..........@.8...@.....................? 2573?14:32:14.453681858?0?sshd?(2522)?>?fstat?fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)? 2574?14:32:14.453682473?0?sshd?(2522)?<?fstat?res=0? 2575?14:32:14.453684015?0?sshd?(2522)?>?mmap?addr=0?length=2105552?prot=5(PROT_READ|PROT_EXEC)?flags=1026(MAP_PRIVATE|MAP_DENYWRITE)?fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)?offset=0? 2576?14:32:14.453686215?0?sshd?(2522)?<?mmap?res=7F3CE5BEE000?vm_size=96244?vm_rss=3508?vm_swap=0? 2577?14:32:14.453686548?0?sshd?(2522)?>?mprotect? 2578?14:32:14.453690064?0?sshd?(2522)?<?mprotect? 2579?14:32:14.453690354?0?sshd?(2522)?>?mmap?addr=7F3CE5DEF000?length=8192?prot=3(PROT_READ|PROT_WRITE)?flags=1030(MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE)?fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)?offset=4096? 2580?14:32:14.453691950?0?sshd?(2522)?<?mmap?res=7F3CE5DEF000?vm_size=96244?vm_rss=3508?vm_swap=0? 2581?14:32:14.453697792?0?sshd?(2522)?>?close?fd=8(<f>/lib/x86_64-linux-gnu/security/pam_motd.so)? 2582?14:32:14.453698076?0?sshd?(2522)?<?close?res=0? 2583?14:32:14.453713939?0?sshd?(2522)?>?mprotect? 2584?14:32:14.453715545?0?sshd?(2522)?<?mprotect? -- 3639?14:32:15.167518124?0?sshd?(2522)?>?close?fd=6? 3640?14:32:15.167518479?0?sshd?(2522)?<?close?res=0? 3641?14:32:15.167522234?0?sshd?(2522)?>?open? 3642?14:32:15.167524929?0?sshd?(2522)?<?open?fd=5(<f>/run/motd.dynamic)?name=/run/motd.dynamic?flags=1(O_RDONLY)?mode=0? 3643?14:32:15.167525595?0?sshd?(2522)?>?fstat?fd=5(<f>/run/motd.dynamic)? 3644?14:32:15.167526099?0?sshd?(2522)?<?fstat?res=0? 3645?14:32:15.167527088?0?sshd?(2522)?>?read?fd=5(<f>/run/motd.dynamic)?size=689? 3646?14:32:15.167528549?0?sshd?(2522)?<?read?res=689?data=Welcome?to?Ubuntu?14.04.4?LTS?(GNU/Linux?3.13.0-83-generic?x86_64)..?*?Documenta? 3647?14:32:15.167535024?0?sshd?(2522)?>?close?fd=5(<f>/run/motd.dynamic)? 3648?14:32:15.167535286?0?sshd?(2522)?<?close?res=0? 3649?14:32:15.167538617?0?sshd?(2522)?>?open? 3650?14:32:15.167540301?0?sshd?(2522)?<?open?fd=5(<f>/etc/passwd)?name=/etc/passwd?flags=4097(O_RDONLY|O_CLOEXEC)?mode=0? -- 3677?14:32:15.167585056?0?sshd?(2522)?>?setfsuid? 3678?14:32:15.167585456?0?sshd?(2522)?<?setfsuid? 3679?14:32:15.167587108?0?sshd?(2522)?>?stat? 3680?14:32:15.167589378?0?sshd?(2522)?<?stat?res=0?path=/home/ubuntu/.cache/motd.legal-displayed? 3681?14:32:15.167590221?0?sshd?(2522)?>?setfsuid? 3682?14:32:15.167590660?0?sshd?(2522)?<?setfsuid? 3683?14:32:15.167590896?0?sshd?(2522)?>?setfsuid? -- 3689?14:32:15.167592585?0?sshd?(2522)?>?setgroups? 3690?14:32:15.167592979?0?sshd?(2522)?<?setgroups? 3691?14:32:15.167593583?0?sshd?(2522)?>?stat? 3692?14:32:15.167594490?0?sshd?(2522)?<?stat?res=0?path=/etc/update-motd.d? 3693?14:32:15.167594955?0?sshd?(2522)?>?umask? 3694?14:32:15.167595127?0?sshd?(2522)?<?umask? 3695?14:32:15.167595807?0?sshd?(2522)?>?rt_sigaction? -- 3719?14:32:15.486395463?0?sshd?(2522)?<?rt_sigprocmask? 3720?14:32:15.486395830?0?sshd?(2522)?>?signaldeliver?spid=2524(sshd)?dpid=2522(sshd)?sig=17(SIGCHLD)? 3721?14:32:15.486397094?0?sshd?(2522)?>?rename? 3722?14:32:15.486406310?0?sshd?(2522)?<?rename?res=0?oldpath=/run/motd.dynamic.new?newpath=/run/motd.dynamic? 3723?14:32:15.486407475?0?sshd?(2522)?>?umask? 3724?14:32:15.486407696?0?sshd?(2522)?<?umask? 3725?14:32:15.486408160?0?sshd?(2522)?>?open? 3726?14:32:15.486409719?0?sshd?(2522)?<?open?fd=-2(ENOENT)?name=/etc/motd?flags=1(O_RDONLY)?mode=0? 3727?14:32:15.486420788?0?sshd?(2522)?>?open? 3728?14:32:15.486422469?0?sshd?(2522)?<?open?fd=5(<f>/etc/passwd)?name=/etc/passwd?flags=4097(O_RDONLY|O_CLOEXEC)?mode=0? 3729?14:32:15.486423926?0?sshd?(2522)?>?lseek?fd=5(<f>/etc/passwd)?offset=0?whence=1(SEEK_CUR)? -- 3755?14:32:15.486459796?0?sshd?(2522)?>?setfsuid? 3756?14:32:15.486460106?0?sshd?(2522)?<?setfsuid? 3757?14:32:15.486461896?0?sshd?(2522)?>?stat? 3758?14:32:15.486464760?0?sshd?(2522)?<?stat?res=0?path=/home/ubuntu/.cache/motd.legal-displayed? 3759?14:32:15.486465455?0?sshd?(2522)?>?setfsuid? 3760?14:32:15.486465892?0?sshd?(2522)?<?setfsuid? 3761?14:32:15.486466132?0?sshd?(2522)?>?setfsuid? -- 4731?14:32:16.770878160?0?sshd?(2577)?>?write?fd=1(<f>/dev/pts/8)?size=58? 4732?14:32:16.770878954?0?sshd?(2577)?<?write?res=58?data=Last?login:?Thu?Apr?28?14:31:28?2016?from?114.248.207.97..? 4733?14:32:16.770886266?0?sshd?(2577)?>?open? 4734?14:32:16.770888442?0?sshd?(2577)?<?open?fd=-2(ENOENT)?name=/etc/motd?flags=1(O_RDONLY)?mode=0? 4735?14:32:16.770928234?0?sshd?(2577)?>?getuid? 4736?14:32:16.770928930?0?sshd?(2577)?<?getuid?uid=1000(ubuntu)? 4737?14:32:16.770929589?0?sshd?(2577)?>?geteuid

發現有這一行的event比較詭異，到目錄下面看看，果然找到了，登錄Ubuntu系統的顯示信息的腳本都是此目錄下面。

3692?14:32:15.167594490?0?sshd?(2522)?<?stat?res=0?path=/etc/update-motd.d├──?00-header ├──?10-help-text ├──?50-landscape-sysinfo?->?/usr/share/landscape/landscape-sysinfo.wrapper ├──?51-cloudguest ├──?90-updates-available ├──?91-release-upgrade ├──?97-overlayroot ├──?98-fsck-at-reboot └──?98-reboot-required 0?directories,?9?files

歡迎補充！

轉載于:https://blog.51cto.com/shanker/1768828

總結

以上是生活随笔為你收集整理的sysdig案例分析 - 哪些文件正在被进程访问的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。