DragonFly On-Line Manual Pages

Search: Section:  


PEOCHK(8)              DragonFly System Manager's Manual             PEOCHK(8)

NAME

peochk - Initial key generator and integrity log file checker

SYNOPSIS

peochk [-f logfile] [-g] [-h] [-i key0file] [-k keyfile] [-l] [-m hash_method] [-q] [logfile]

DESCRIPTION

peochk generates the initial key file and checks log files generated by syslogd(8) using peo output module om_peo(8). The options are as follows: -f logfile Specify the pathname of a log file, if logfile is not specified using this option, data is read from standard input and the pathname is used only to generate reports and/or to obtain the key files pathnames when the -k and/or -i options are not specified; the default is /var/log/messages. -g Generates two key files with an initial key into them, one in binary mode ( keyfile, to be used by peo output module ) and the other in ascii mode ( key0file ), the admin should put the last one into a secure place and remove it from the specified path (see -i and -k options); when this option is not specified peochk is in check mode. -h Displays a little help. -i key0file Specify the initial key pathname; the default is keyfile pathname with a "0" char added at the end (see -k option). -k keyfile Specify the key pathname (this file is used by the peo output module to generate a hash key from the last logged message); the default is /var/ssyslogd/xxx.key where xxx is logfile (specified with -f option or without it) with all '/' replaced by '.'. -l Used only in check mode to detect the first corrupted line; it is ignored when specified with the -g option. -m hash_method Specifies the hash method used to generate the keys, hash_method should be one of md5, sha1, or rmd160; the default is sha1. -q Quiet mode; prints '0' on stdout when logfile is not corrupted, and '1' or line number (see -l option) when the logfile is corrupted.

EXAMPLES

If you want to protect the /var/log/authlog file you can: 1. run the command: peochk -g -f /var/log/authlog -i authkey0 -m rmd160 this will generate the /var/ssylog/var.log.authlog.key file with the initial key in binary mode and the ./authkey0 file with that key translated to ascii, the hash method used to generate the key is rmd160; you should memorice the contents of ./authkey0 file and rm(1) it. 2. Edit syslog.conf(5) file and enable peo output module with something like this: auth.info %classic /var/log/authlog %peo -m rmd160 -l -k /var/ssyslog/.var.log.authlog.key 3. Inform new changes on syslog.conf(5) to syslogd(8): kill -HUP `cat /var/run/syslog.pid` 4. When you believe that someone owned your machine you can: peochk -m rmd160 -f /var/log/authlog -i mykey the contents of mykey should be the same as ./authkey0 generated in step 1; with the command above you can verify that the file was (or not) corrupted (it is important not to forget the -m option because the default used is sha1 and the keys generated was using rmd160 ).

SEE ALSO

syslog.conf(5), om_peo(8), syslogd(8)

BUGS

Submit bugs at this project's Sourceforge Bug reporting system at: http://sourceforge.net/tracker/?func=add&group_id=25741&atid=385117 You may also report them directly to the authors; send an email to core.devel.alat@corest.com, describing the problem the most you can, containing also machine description, hardware description, the configuration file (/usr/local/etc/syslog.conf), the OS description, and the invoking command line. The more you describe the bug, the faster we can fix it. Core-SDI May 10, 2000 Core-SDI

Search: Section: