[Aide] Question about report output

[Pablo Virolainen]

On Wed, 29 Nov 2006, Jason Martens wrote:

> On Wed, 2006-11-29 at 09:25 +0100, Richard van den Berg wrote:
> > Jason Martens wrote:
> <snip>
> > > The report would be much more useful if it listed what changed in human
> > > readable form, rather than hex or some other numerical method.  Or, at
> > > least have a readily accessible table so us poor humans can convert
> > > it... :)
> >
> > For changed attributes of the files, that is the case of course. For
> > changes of the number of attributes present in the aide.db this is just
> > a warning because you should have anticipated this when changing the
> > aide.conf file. Why spell out in detail what you probably already know
> > and changed intentionally?
>
> Ahhh, ok. That makes more sense.  I was confused, thinking that the
> report was telling me that the *file* had changed, when in fact, the
> *database* had change.
>
> I guess it would be nice if it was more obvious which is which, but I
> don't really think it's necessary to list the changed attributes in this
> case.
>

Actually it doesn't tell that your database has chanhed. It tells that you
have stored different set of data to database than what you have just
calculated. It might be because of a bug in aide or the fact that you just
edited your configuration file (or 'file' type has been changed from
normal file to directory/device-node/named socket). Attr field in the
database tells which columns in this row are valid. So it presents
R+a+sha1 in the configuration file && what information aide was/is able to
collect.

Actually, we could calculate hashes from directories (and block devices),
but I think it don't want to do it.
So the md calc code would be something like following (note, the code is
missing error handling)

struct dirent *data;
DIR *dirp=opendir(filename);
<initialise hash functions>
while (data=readdir(dirp)!=NULL) {
        update_md(&mdc,data,data->d_reclen);
}
<finalise hash functions>
<collect hash values>

Pablo Virolainen