[mig modules] file module's mtime should support years or static stamps

RESOLVED FIXED

Status

Enterprise Information Security
MIG
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: kang, Unassigned)

Tracking

Details

For ex:
mig file -t "environment->>'os'='linux' AND tags->>'operator'='IT'" -name '.crt$' -path /etc/pki/tls/certs -maxdepth 1  -mtime  '>1460d'

that's 4 years, not super convenient. moreover, for more precision, that date interval needs to be converted to hours (35040h for ex) otherwise you're limited to a specific day. And of course, that's a rough simplification since I just multiplicated by 365 days for a year, but in our calendar-based reality this won't always give the expected results.

ideally, so that the user doesn't have to calculate the "time before" or "time after" manually for long periods, maybe we should parse a timestamp such as:

-mtime ">2015-01-01 10:52:00 UTC"

the module would then convert it
Not a bad idea. Here again we simply reproduce the behavior of find's -mtime parameter, without the rounding aspect.

We could parse a timestamp, but I'd want to make it a separate parameter. '-msince' for example. Parsing dates can be hard, so we need to enforce a specific data format. MIG uses RFC3339 is most places.

Calculating months or years accurately seems like a lot of work for little benefit. I'm not sold on that.
Also note that the results from the file module contain the exact 'lastmodified' date, so you can always grep on the command line.

> server.example.net /etc/somefile [lastmodified:2013-04-07 15:42:10 +0000 UTC, mode:-rw-r--r--, size:651075] in search 's1'
yeah im doing as per comment 2 for now as a work-around (while overshooting the date a bit), works ok, but its not the most convenient. generally only an issue for searches on really old stuff.
Migrated to github issues: https://github.com/mozilla/mig/issues
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.