44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
|
From f97f0579fafcd9fc58d892699a22ae7ee68aeff3 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Sergio Correia <scorreia@redhat.com>
|
||
|
|
Date: Mon, 16 Dec 2024 09:06:13 +0000
|
||
|
|
Subject: [PATCH] ausearch-parse: fix parsing for success/uid in
|
||
|
|
parse_daemon1() (#394)
|
||
|
|
|
||
|
|
In parse_daemon1(), we may have the uid= field appear both before and
|
||
|
|
after pid=, which may cause our parsing of it to fail, as we may have
|
||
|
|
skipped past it. For uid=, let us search from the beginning.
|
||
|
|
|
||
|
|
Example for this case:
|
||
|
|
|
||
|
|
type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success
|
||
|
|
|
||
|
|
ausearch -if sample.log -a 753 -m DAEMON_END -ui 0 --session 8 -p 107086 --success yes
|
||
|
|
|
||
|
|
Signed-off-by: Sergio Correia <scorreia@redhat.com>
|
||
|
|
|
||
|
|
Reference:https://github.com/linux-audit/audit-userspace/commit/f97f0579fafcd9fc58d892699a22ae7ee68aeff3
|
||
|
|
Conflict:NA
|
||
|
|
|
||
|
|
---
|
||
|
|
src/ausearch-parse.c | 4 +++-
|
||
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
|
||
|
|
index 4c9bef0d..e15396d7 100644
|
||
|
|
--- a/src/ausearch-parse.c
|
||
|
|
+++ b/src/ausearch-parse.c
|
||
|
|
@@ -1549,7 +1549,9 @@ static int parse_daemon1(const lnode *n, search_items *s)
|
||
|
|
|
||
|
|
// uid - optional
|
||
|
|
if (event_uid != -1) {
|
||
|
|
- ptr = term;
|
||
|
|
+ // As the uid= field may happen in different orders, e.g. both before
|
||
|
|
+ // and after pid=, let us search for the uid from the beginning.
|
||
|
|
+ term = mptr;
|
||
|
|
str = strstr(term, " uid=");
|
||
|
|
if (str) {
|
||
|
|
ptr = str + 5;
|
||
|
|
--
|
||
|
|
2.33.0
|
||
|
|
|