如何在审核日志中查找设备 ID?

如何在审核日志中查找设备 ID?

我想通过审计找出谁编写了 rootfs 设备

auditctl -w /var/lib -p w

我有一个日志

type=SYSCALL msg=audit(1687705400.741:250): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7ffe429aec10 a2=a0002 a3=0 items=1 ppid=15931 pid=13750 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="postgres" exe="/usr/lib/postgresql/15/bin/postgres" key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="etcd" GID="ping" EUID="etcd" SUID="etcd" FSUID="etcd" EGID="ping" SGID="ping" FSGID="ping"
type=CWD msg=audit(1687705400.741:250): cwd="/var/lib/postgresql/data/pgdata"
type=PATH msg=audit(1687705400.741:250): item=0 name="/dev/shm/PostgreSQL.845382982" inode=3 dev=00:90 mode=0100600 ouid=999 ogid=999 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="etcd" OGID="ping"
type=PROCTITLE msg=audit(1687705400.741:250): proctitle=706F7374677265733A206175746F76616375756D20776F726B657220

我想知道如何查找dev=00:90

该命令在容器中运行,但审核在主机上运行,​​我想按 rootfs 设备进行过滤/dev/sdi2

相关内容