Fix parsing of virtual timestamp fields in ausearch_expression

caidongyun · Mar 28, 2018 · 4dcbcd8 · 4dcbcd8
1 parent aad8002
commit 4dcbcd8
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 5 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -6,6 +6,7 @@
 - Adjust backlog_wait_time in rules to the kernel default (#1482848)
 - Remove ids key syntax checking of rules in auditctl
 - Use SIGCONT to dump auditd internal state (#1504251)
+- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
 
 2.8.3
 - Correct msg function name in lru debug code

diff --git a/TODO b/TODO
@@ -1,7 +1,6 @@
 Future roadmap (subject to change):
 ===================================
 3.0
-* Verify \timestamp_ex is supported in ausearch-expression, if so update man pg
 * Support TLS PSK as remote logging transport
 * Performance improvements for auparse (Memory management)
 * In audispd, look into non-blocking handling of write to plugins

diff --git a/auparse/expression.c b/auparse/expression.c
@@ -382,18 +382,26 @@ parse_timestamp_value(struct expr *dest, struct parsing *p)
 	intmax_t sec;
 
 	assert(p->token == T_STRING);
-	/* FIXME: other formats? */
-	if (sscanf(p->token_value, "ts:%jd.%u:%u", &sec,
+	/*
+	 * On a timestamp field we will do all the parsing ourselves
+	 * rather than use lex(). At the end we will move the internal cursor.
+	 */
+	if (sscanf(p->token_start, "ts:%jd.%u:%u", &sec,
 		   &dest->v.p.value.timestamp_ex.milli,
 		   &dest->v.p.value.timestamp_ex.serial) != 3) {
-		if (sscanf(p->token_value, "ts:%jd.%u", &sec,
+		if (sscanf(p->token_start, "ts:%jd.%u", &sec,
 			   &dest->v.p.value.timestamp.milli) != 2) {
 			if (asprintf(p->error, "Invalid timestamp value `%.*s'",
 				     p->token_len, p->token_start) < 0)
 				*p->error = NULL;
 			return -1;
 		}
 	}
+
+	/* Move the cursor past what we parsed. */
+	size_t num = strspn(p->token_start, "ts:0123456789.");
+	p->src = p->token_start + num;
+
 	/* FIXME: validate milli */
 	dest->v.p.value.timestamp.sec = sec;
 	if (dest->v.p.value.timestamp.sec != sec) {

diff --git a/docs/ausearch-expression.5 b/docs/ausearch-expression.5
@@ -182,13 +182,43 @@ The following virtual fields are defined:
 .B \etimestamp
 The value is the timestamp of the current event.
 .I value
-must have the \fBts:\fIseconds\fR.\fImilli\fR format, where
+must be formatted as:
+.sp
+.in +5
+.nf
+.na
+ts:seconds.milli
+.ad
+.fi
+.in -5
+.sp
+where
 .I seconds
 and
 .I milli
 are decimal numbers specifying the seconds and milliseconds part of the
 timestamp, respectively.
 
+.TP
+.B \etimestamp_ex
+This is similar to
+.B \etimestamp
+but also includes the event's serial number.
+.I value
+must be formatted as:
+.sp
+.in +5
+.nf
+.na
+ts:seconds.milli:serial
+.ad
+.fi
+.in -5
+.sp
+where
+.I serial
+is a decimal number specifying the event's serial number.
+
 .TP
 .B \erecord_type
 The value is the type of the current record.