我突然在 /var/log/auth.log 文件中发现了一些奇怪的条目。它们大约每 10-20 秒出现一次。cron 中没有任何东西可以做到这一点,我不知道下一步该去哪里查找。
Nov 17 02:21:06 centaur su[7498]: + ??? root:user1
Nov 17 02:21:06 centaur su[7498]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:06 centaur su[7498]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:22 centaur su[7560]: Successful su for user1 by root
Nov 17 02:21:22 centaur su[7560]: + ??? root:user1
Nov 17 02:21:22 centaur su[7560]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:22 centaur su[7560]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:22 centaur su[7572]: Successful su for user1 by root
Nov 17 02:21:22 centaur su[7572]: + ??? root:user1
Nov 17 02:21:22 centaur su[7572]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:22 centaur su[7572]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:38 centaur su[7635]: Successful su for user1 by root
Nov 17 02:21:38 centaur su[7635]: + ??? root:user1
Nov 17 02:21:38 centaur su[7635]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:38 centaur su[7635]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:38 centaur su[7647]: Successful su for user1 by root
Nov 17 02:21:38 centaur su[7647]: + ??? root:user1
Nov 17 02:21:38 centaur su[7647]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:38 centaur su[7647]: pam_unix(su:session): session closed for user user1
我能够使用以下命令从顶部获取信息,但这没什么帮助:
top -b -d 0.1 -n 11130 >> top-file
结果:
6342 root 20 0 60928 1676 1260 S 0.0 0.1 0:00.00 su
有没有办法让 lsof 做类似的事情,以便我弄清楚到底发生了什么? 或者有更好的方法可以解决这个问题?
我尝试使用以下命令来执行 lsof,但是它似乎没有按照我需要的方式工作:
lsof +r 1 >> lsof-file
谢谢