Karel Šrot
2016-03-04 08:02:37 UTC
Hello,
I am a question about the aide matching algorithm. Is it using the first
match?
I am asking because I have encountered that with the following config file
/etc/ p+md5
/etc/passwd p+md5+sha1
the sha1 checksum is actually not stored in the aide database while it is
stored when the lines switched.
Is that by design? In the aide manual I have found following sentence:
"As it can also be seen, equals selection lines are only checked in the
first recursion step, thus providing some kind of speed optimization by
reducing the number of necessary regular expression evaluations, which is a
quite expensive operation."
but I am not sure if it explains the behaviour I am observing. Moreover,
even the official configuration examples are ordering file paths in the
'from top to bottom' order which would be really confusing if aide is
supposed to work the way it works now.
I have checked both aide v0.14 and v0.15.1, both behave the same way.
Best regards,
Karel Srot
I am a question about the aide matching algorithm. Is it using the first
match?
I am asking because I have encountered that with the following config file
/etc/ p+md5
/etc/passwd p+md5+sha1
the sha1 checksum is actually not stored in the aide database while it is
stored when the lines switched.
Is that by design? In the aide manual I have found following sentence:
"As it can also be seen, equals selection lines are only checked in the
first recursion step, thus providing some kind of speed optimization by
reducing the number of necessary regular expression evaluations, which is a
quite expensive operation."
but I am not sure if it explains the behaviour I am observing. Moreover,
even the official configuration examples are ordering file paths in the
'from top to bottom' order which would be really confusing if aide is
supposed to work the way it works now.
I have checked both aide v0.14 and v0.15.1, both behave the same way.
Best regards,
Karel Srot