Kha*_*hai 8 linux system-calls kernel strace
是否有等效于 Mac OS X 命令 fs_usage 的 Linux?根据手册页,它执行以下操作:“实时报告与文件系统活动相关的系统调用和页面错误”。
我想一种选择是使用 strace 并过滤数据,但是 fs_usage 命令允许同时“跟踪”系统上运行的所有进程。
这是一个示例输出:
03:44:25 stat64 erences/ByHost/org.mozilla.firefox.69AC0B48-F675-5045-B873-A28B119C33E7.plist 0.000029 firefox
03:44:25 stat64 /Users/**********/Library/Preferences 0.000011 firefox
03:44:25 statfs64 /Users/**********/Library/Preferences 0.000004 firefox
03:44:25 open /Users/**********/Library/Preferences/org.mozilla.firefox.plist.lockfile 0.000090 firefox
03:44:25 stat64 /Users/**********/Library/Preferences/org.mozilla.firefox.plist 0.000004 firefox
03:44:25 stat64 /Users/**********/Library/Preferences 0.000002 firefox
03:44:25 open /Users/**********/Library/Preferences/org.mozilla.firefox.plist.vjLkANe 0.000100 firefox
有任何想法吗?
您可以使用auditctl来监视与文件系统活动相关的系统调用,例如 open,stat或lstat。可惜监控read还是write好像有问题。
auditctl是一个帮助控制内核审计系统的实用程序。您需要是 root 用户才能使用它。它支持各种过滤器,例如:
devmajor Device Major Number
devminor Device Minor Number
dir Full Path of Directory to watch. This will place a recursive
watch on the directory and its whole subtree. It can only be
used on exit list. See "-w".
egid Effective Group ID. May be numeric or the groups name.
euid Effective User ID. May be numeric or the user account name.
filetype The target file's type. Can be either file, dir, socket, symlink,
char, block, or fifo.
path Full Path of File to watch. It can only be used on exit list.
pid Process ID
ppid Parent's Process ID
示例(在 Fedora 16 x86_64 上测试)
要添加审核规则,请以 root 身份运行:
for syscall in open stat lstat read write; do
auditctl -a exit,always -F arch=b64 -S $syscall \
-F euid=1000 \
-F dir=/tmp/superuser.com/questions/370070
done
要稍后删除它们,请替换-a为-d:
for syscall in open stat lstat read write; do
auditctl -d exit,always -F arch=b64 -S $syscall \
-F euid=1000 \
-F dir=/tmp/superuser.com/questions/370070
done
添加规则后,以 UID 1000 的用户身份在该目录下执行某些操作:
cd /tmp/superuser.com/questions/370070
echo foo > bar
cat bar
stat bar
ausearch --start 00:00:00 --uid-effective 1000将返回以下内容(日志为/var/log/audit/audit.log):
time->Thu Jun 14 00:02:32 2012
type=PATH msg=audit(1339621352.871:18529): item=0 name="/tmp/superuser.com/questions/370070" inode=178 dev=fd:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621352.871:18529): cwd="/home/ciupicri"
type=SYSCALL msg=audit(1339621352.871:18529): arch=c000003e syscall=4 success=yes exit=0 a0=139bbf0 a1=7fff32d832d0 a2=7fff32d832d0 a3=24 items=1 ppid=2249 pid=3446 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
[root@hermes ~]# ausearch --start 00:00:00 --uid-effective 1000
----
time->Thu Jun 14 00:02:32 2012
type=PATH msg=audit(1339621352.871:18529): item=0 name="/tmp/superuser.com/questions/370070" inode=178 dev=fd:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621352.871:18529): cwd="/home/ciupicri"
type=SYSCALL msg=audit(1339621352.871:18529): arch=c000003e syscall=4 success=yes exit=0 a0=139bbf0 a1=7fff32d832d0 a2=7fff32d832d0 a3=24 items=1 ppid=2249 pid=3446 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Thu Jun 14 00:02:47 2012
type=PATH msg=audit(1339621367.175:18531): item=0 name="bar" inode=218 dev=fd:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621367.175:18531): cwd="/tmp/superuser.com/questions/370070"
type=SYSCALL msg=audit(1339621367.175:18531): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ed6b37f a1=0 a2=0 a3=7fff5ed69460 items=1 ppid=3446 pid=4735 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Thu Jun 14 00:02:47 2012
type=PATH msg=audit(1339621367.172:18530): item=1 name="bar" inode=218 dev=fd:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=PATH msg=audit(1339621367.172:18530): item=0 name="/tmp/superuser.com/questions/370070" inode=178 dev=fd:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621367.172:18530): cwd="/tmp/superuser.com/questions/370070"
type=SYSCALL msg=audit(1339621367.172:18530): arch=c000003e syscall=2 success=yes exit=3 a0=1665500 a1=241 a2=1b6 a3=4 items=2 ppid=2249 pid=3446 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Thu Jun 14 00:02:47 2012
type=PATH msg=audit(1339621367.971:18532): item=0 name="bar" inode=218 dev=fd:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621367.971:18532): cwd="/tmp/superuser.com/questions/370070"
type=SYSCALL msg=audit(1339621367.971:18532): arch=c000003e syscall=6 success=yes exit=0 a0=7fffdc713375 a1=7fffdc711580 a2=7fffdc711580 a3=7fffdc7112f0 items=1 ppid=3446 pid=4736 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="stat" exe="/usr/bin/stat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
系统调用号可以在/usr/include/asm/unistd_64.h.
| 归档时间: |
|
| 查看次数: |
4043 次 |
| 最近记录: |