#188 Redundant operations: possible rootkit strings check

[Lionel Debroux]

Under audit logging for execs, I noticed that strings is being repeatedly called on the same rcfiles. This output can be memoized, at low memory cost, in order to achieve an interesting decrease in user + system time, especially when combined with changes from #186 .
As indicated in a comment, it would be great to be able to use bash's built-in regex support in order to replace grep for checking the output of strings. At least, it seems to work for a non-regex line from STRINGSCAN (IptabLex), and it further slashes the run time by a factor of ~4 !

Core i7-6700 HQ (SMP, SMT disabled), 32 GB DDR4-2133, Debian sid amd64, cache hot (second run):
before: \time rkhunter --cronjob --report-warnings-only --enable possible_rkt_strings 43.55user 33.88system 0:44.34elapsed 174%CPU (0avgtext+0avgdata 16084maxresident)k 0inputs+72outputs (29major+7159137minor)pagefaults 0swaps
changes from #186 + changes from this patch: \time rkhunter --cronjob --report-warnings-only --enable possible_rkt_strings 20.57user 13.87system 0:31.97elapsed 107%CPU (0avgtext+0avgdata 16084maxresident)k 0inputs+72outputs (0major+3816006minor)pagefaults 0swaps
changes from #186 + changes from this patch modified with bash's built-in regex support (see comment near the end of the diff): 5.92user 3.29system 0:07.69elapsed 119%CPU (0avgtext+0avgdata 16088maxresident)k 0inputs+64outputs (0major+1012098minor)pagefaults 0swaps

[Lionel Debroux]

There's a drawback to memoizing the output of strings, though: DoS upon huge rcfiles...
Here's another take on optimizing the possible_rkt_strings check, which no longer memoizes anything. I split the work between a fast path which tries to find all strings at once in every rcfile, and a slow path if the first check returns at least one match.

Core i7-6700 HQ (SMP, SMT disabled), 32 GB DDR4-2133, Debian sid amd64, cache hot:
before: \time rkhunter_ --cronjob --report-warnings-only --enable possible_rkt_strings 44.21user 37.16system 0:45.80elapsed 177%CPU (0avgtext+0avgdata 16116maxresident)k 0inputs+80outputs (23major+7266578minor)pagefaults 0swaps

changes from #186 + changes from this patch: \time rkhunter --cronjob --report-warnings-only --enable possible_rkt_strings 6.22user 3.40system 0:07.61elapsed 126%CPU (0avgtext+0avgdata 16116maxresident)k 0inputs+96outputs (0major+1088480minor)pagefaults 0swaps

PIII 1 GHz (UP), 256 MB RAM, Debian sid amd64, cache hot:
before: \time rkhunter --cronjob --report-warnings-only --enable possible_rkt_strings 49.05user 165.23system 3:39.00elapsed 97%CPU (0avgtext+0avgdata 8448maxresident)k 1128inputs+128outputs (0major+4008509minor)pagefaults 0swaps

changes from #186 + changes from this patch: \time rkhunter --cronjob --report-warnings-only --enable possible_rkt_strings 12.58user 32.50system 0:46.05elapsed 97%CPU (0avgtext+0avgdata 8704maxresident)k 0inputs+80outputs (0major+831752minor)pagefaults 0swaps

Nearly 30" saved on the former, nearly 3' on the latter.

This version of the patch also contains minor optimizations in other tests.