From f97f0579fafcd9fc58d892699a22ae7ee68aeff3 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Mon, 16 Dec 2024 09:06:13 +0000 Subject: [PATCH] ausearch-parse: fix parsing for success/uid in parse_daemon1() (#394) In parse_daemon1(), we may have the uid= field appear both before and after pid=, which may cause our parsing of it to fail, as we may have skipped past it. For uid=, let us search from the beginning. Example for this case: type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success ausearch -if sample.log -a 753 -m DAEMON_END -ui 0 --session 8 -p 107086 --success yes Signed-off-by: Sergio Correia Reference:https://github.com/linux-audit/audit-userspace/commit/f97f0579fafcd9fc58d892699a22ae7ee68aeff3 Conflict:NA --- src/ausearch-parse.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c index 4c9bef0d..e15396d7 100644 --- a/src/ausearch-parse.c +++ b/src/ausearch-parse.c @@ -1549,7 +1549,9 @@ static int parse_daemon1(const lnode *n, search_items *s) // uid - optional if (event_uid != -1) { - ptr = term; + // As the uid= field may happen in different orders, e.g. both before + // and after pid=, let us search for the uid from the beginning. + term = mptr; str = strstr(term, " uid="); if (str) { ptr = str + 5; -- 2.33.0