peochk.8

MSyslog是一个允许在Linux下运行的网络系统日志程序

.\"	$CoreSDI: peochk.8,v 1.18 2001/11/20 05:46:42 alejo Exp $
.\"
.\" Copyright (c) 2001
.\"	Core-SDI SA. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Core-SDI SA nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd May 10, 2000
.Dt PEOCHK 8
.Os Core-SDI
.Sh NAME
.Nm peochk
.Nd Initial key generator and integrity log file checker
.Sh SYNOPSIS
.Nm peochk
.Op Fl f Ar logfile
.Op Fl g
.Op Fl h
.Op Fl i Ar key0file
.Op Fl k Ar keyfile
.Op Fl l
.Op Fl m Ar hash_method
.Op Fl q
.Op Ar logfile
.Sh DESCRIPTION
.Nm peochk
generates the initial key file and checks log files generated by
.Xr syslogd 8
using
.Em peo output module
.Xr om_peo 8 .
The options are as follows:
.Bl -tag -width Ds
.It Fl f Ar logfile
Specify the pathname of a log file, if
.Ar logfile
is not specified using this option, data is read from standard input
and the pathname is used only to generate reports and/or to obtain the
key files pathnames when the
.Fl k
and/or
.Fl i
options are not specified; the default is
.Pa /var/log/messages .
.It Fl g
Generates two key files with an initial key into them, one in binary mode
(
.Ar keyfile ,
to be used by
.Em peo output module
) and the other in ascii mode (
.Ar key0file
), the admin should put the
last one into a secure place and remove it from the specified path (see 
.Fl i
and 
.Fl k
options); when this option is not specified
.Nm
is in check mode.
.It Fl h
Displays a little help.
.It Fl i Ar key0file
Specify the initial key pathname; the default is
.Ar keyfile
pathname with a "0" char added at the end (see 
.Fl k
option).
.It Fl k Ar keyfile
Specify the key pathname (this file is used by the
.Em peo output module
to generate a hash key from the last logged message); the default is
.Pa /var/ssyslogd/xxx.key
where 
.Pa xxx
is
.Ar logfile
(specified with 
.Fl f
option or without it) with all '/' replaced by '.'.
.It Fl l
Used only in check mode to detect the first corrupted line; it is ignored
when specified with the
.Fl g
option.
.It Fl m Ar hash_method
Specifies the hash method used to generate the keys,
.Ar hash_method
should be one of 
.Cm md5, sha1,
or
.Cm rmd160;
the default is
.Cm sha1.
.It Fl q
Quiet mode; prints '0' on stdout when logfile is not corrupted, and '1' or
line number (see 
.Fl l
option) when the logfile is corrupted.
.El
.Sh EXAMPLES
If you want to protect the
.Pa /var/log/authlog
file you can:
.Pp
.Bl -enum
.It
run the command:
.Pp
.Dl peochk -g -f /var/log/authlog -i authkey0 -m rmd160
.Pp
this will generate the
.Pa /var/ssylog/var.log.authlog.key
file with the initial key in binary mode and the
.Ar ./authkey0
file with that key translated to ascii, the hash method used to generate
the key is
.Cm rmd160;
you should memorice the contents of
.Ar ./authkey0
file and
.Xr rm 1
it.
.Pp
.It
Edit
.Xr syslog.conf 5
file and enable
.Em peo output module
with something like this:
.Pp
.Dl auth.info	%classic /var/log/authlog %peo -m rmd160 -l -k /var/ssyslog/.var.log.authlog.key
.Pp
.It
Inform new changes on
.Xr syslog.conf 5
to
.Xr syslogd 8 :
.Pp
.Dl kill -HUP `cat /var/run/syslog.pid`
.Pp
.It
When you believe that someone owned your machine you can:
.Pp
.Dl peochk -m rmd160 -f /var/log/authlog -i mykey
.Pp
the contents of
.Ar mykey
should be the same as 
.Ar ./authkey0
generated in step 1; with the command above you can verify that the
file was (or not) corrupted (it is important not to forget the 
.Fl m
option because the default used is 
.Cm sha1
and the keys generated was using 
.Cm rmd160
).
.El
.Sh SEE ALSO
.Xr syslog.conf 5 ,
.Xr om_peo 8 ,
.Xr syslogd 8
.Sh BUGS
Submit bugs at this project's Sourceforge Bug reporting system at:
http://sourceforge.net/tracker/?func=add&group_id=25741&atid=385117
You may also report them directly to the authors; send an email to
core.devel.alat@corest.com, describing the problem the most you can,
containing also machine description, hardware description, the
configuration file (/etc/syslog.conf), the OS description, and the
invoking command line.
The more you describe the bug, the faster we can fix it.