DragonFly On-Line Manual Pages
PEOCHK(8) DragonFly System Manager's Manual PEOCHK(8)
NAME
peochk - Initial key generator and integrity log file checker
SYNOPSIS
peochk [-f logfile] [-g] [-h] [-i key0file] [-k keyfile] [-l]
[-m hash_method] [-q] [logfile]
DESCRIPTION
peochk generates the initial key file and checks log files generated by
syslogd(8) using peo output module om_peo(8). The options are as
follows:
-f logfile
Specify the pathname of a log file, if logfile is not specified
using this option, data is read from standard input and the
pathname is used only to generate reports and/or to obtain the
key files pathnames when the -k and/or -i options are not
specified; the default is /var/log/messages.
-g Generates two key files with an initial key into them, one in
binary mode ( keyfile, to be used by peo output module ) and the
other in ascii mode ( key0file ), the admin should put the last
one into a secure place and remove it from the specified path
(see -i and -k options); when this option is not specified peochk
is in check mode.
-h Displays a little help.
-i key0file
Specify the initial key pathname; the default is keyfile pathname
with a "0" char added at the end (see -k option).
-k keyfile
Specify the key pathname (this file is used by the peo output
module to generate a hash key from the last logged message); the
default is /var/ssyslogd/xxx.key where xxx is logfile (specified
with -f option or without it) with all '/' replaced by '.'.
-l Used only in check mode to detect the first corrupted line; it is
ignored when specified with the -g option.
-m hash_method
Specifies the hash method used to generate the keys, hash_method
should be one of md5, sha1, or rmd160; the default is sha1.
-q Quiet mode; prints '0' on stdout when logfile is not corrupted,
and '1' or line number (see -l option) when the logfile is
corrupted.
EXAMPLES
If you want to protect the /var/log/authlog file you can:
1. run the command:
peochk -g -f /var/log/authlog -i authkey0 -m rmd160
this will generate the /var/ssylog/var.log.authlog.key file with the
initial key in binary mode and the ./authkey0 file with that key
translated to ascii, the hash method used to generate the key is
rmd160; you should memorice the contents of ./authkey0 file and
rm(1) it.
2. Edit syslog.conf(5) file and enable peo output module with something
like this:
auth.info %classic /var/log/authlog %peo -m rmd160 -l -k
/var/ssyslog/.var.log.authlog.key
3. Inform new changes on syslog.conf(5) to syslogd(8):
kill -HUP `cat /var/run/syslog.pid`
4. When you believe that someone owned your machine you can:
peochk -m rmd160 -f /var/log/authlog -i mykey
the contents of mykey should be the same as ./authkey0 generated in
step 1; with the command above you can verify that the file was (or
not) corrupted (it is important not to forget the -m option because
the default used is sha1 and the keys generated was using rmd160 ).
SEE ALSO
syslog.conf(5), om_peo(8), syslogd(8)
BUGS
Submit bugs at this project's Sourceforge Bug reporting system at:
http://sourceforge.net/tracker/?func=add&group_id=25741&atid=385117 You
may also report them directly to the authors; send an email to
core.devel.alat@corest.com, describing the problem the most you can,
containing also machine description, hardware description, the
configuration file (/usr/local/etc/syslog.conf), the OS description, and
the invoking command line. The more you describe the bug, the faster we
can fix it.
Core-SDI May 10, 2000 Core-SDI