[Aide] manual.html, Understanding Aide rule matching

Thu Dec 8 11:44:05 EET 2005

On Wed, 7 Dec 2005, Marc Haber wrote:

> After quite some time, I have read the manual.html again, and have
> found it lacking some information, and the man page mentions things
> that are not in the manual and vice versa.
>
> I'd like to have some things clarified, especially in the
> "Understanding Aide rule matching", since, frankly, that part of the
> manual creates more confusion in me than it helps me understand.
>
> Which kind of regexp does aide use? From what I read in manual.html,
> aide uses the system regexp calls and thus understands the "local
> regexp dialect". Thus, a configfile that was built for a GNU system
> might work differnetly or be entirely unuseable on a BSD system where
> the regexp library doesn't have the GNU extensions, right? Do all
> regexp libraries distinguish between simple and extended regexps, and
> which one does aide use?
>
> If aide creates a tree of the regexp rules, and thus the rules are the
> nodes in the tree, why does it have three separate lists for each node
> when there is only one rule per node and thus two of the lists are
> always empty and the third has only one element?

You should think node's as directories. There can be three kinks of rules 
in the directory (selective, equal and negative rules).

Same 'directory' can have unlimited amount of rules. (actually it's not 
unlimited, because we have limited address space;)

Let's say that we have rules "/usr/local/bar" and "/usr/local/fuu", we 
will have two rules in the same 'directory' or node.

>> From the fact that !/proc would be placed in the root node and that
> !/proc/.* would be place in the /proc node, I suspect that the tree
> has not the regexps as nodes, but instead the directory tree. If so,
> then the first sentence of the paragraph is wrong and misleading.
>
> What exactly is "a deeper match"?

If we have rules "/usr/" and "/usr/local/", "/usr/local/" is deeper 
match.
Rules are placed to selection tree. If we have rule "/usr/local/[bB]*" it 
will create tree
("/",("/usr/",("/usr/local/",(),"/usr/local/[bB]*",(),()),(),(),()),(),(),())
When we match entry "/usr/local/bin/sshfs", we first enter (in our tree) 
to /usr -> local -> bin (and because we don't have bin dir in /usr/local, 
we'll stay to "/usr/local/"). Then we scan rules in that 'directory' to 
the root untill we find select rule... Manual.html explains this part.

> What exactly does happen when src/gen_list.c decides to "add a file"?
> Is it added with the expression, or with the values that represent the
> current status of the file to be compared later?
>
> What exactly is the difference between /etc$ and =/etc$? I have always
> gotten around without using "=" rules, but maybe that's part of my
> mistake?

It's just speed optimisation. '=' rules are not compared when we 
recursivly go down to root dir/node in our tree. Remember that regexp 
compare can be quite slow -> so we have tried to minimise the number of 
comparision.

> Does the /etc/ppp/logs rule create a single node for /etc/ppp directly
> under the root node, or does it create a node for /etc under root, and
> a node /etc/ppp under /etc?

It creates nodes "/" "/etc" "/etc/ppp" "/etc/ppp/logs".. You can check it 
with patch I send some time ago.

> I hope that I will finally understand what's going on, and then could
> help in improving the documentation.

Improved documentation is needed. (I would like to write one, but 
experience has shown that my documents are just too hard to read) Actually 
there has been only one person, who has been able to read those. Antti 
Kervinen.

Duke NEMO / C.O.M.A
alias pablo the pallo virolainen