|Specify the pathname of a log file, if logfile is not specified using this option, data is read from standard input and the pathname is used only to generate reports and/or to obtain the key files pathnames when the -k and/or -i options are not specified; the default is /var/log/messages.|
|-g||Generates two key files with an initial key into them, one in binary mode ( keyfile, to be used by peo output module ) and the other in ascii mode ( key0file ), the admin should put the last one into a secure place and remove it from the specified path (see -i and -k options); when this option is not specified peochk is in check mode.|
|-h||Displays a little help.|
|Specify the initial key pathname; the default is keyfile pathname with a "0" char added at the end (see -k option).|
|Specify the key pathname (this file is used by the peo output module to generate a hash key from the last logged message); the default is /var/ssyslogd/xxx.key where xxx is logfile (specified with -f option or without it) with all / replaced by ..|
|-l||Used only in check mode to detect the first corrupted line; it is ignored when specified with the -g option.|
|Specifies the hash method used to generate the keys, hash_method should be one of md5, sha1, or rmd160; the default is sha1.|
|-q||Quiet mode; prints 0 on stdout when logfile is not corrupted, and 1 or line number (see -l option) when the logfile is corrupted.|
If you want to protect the /var/log/authlog file you can:
- run the command:
peochk -g -f /var/log/authlog -i authkey0 -m rmd160
this will generate the /var/ssylog/var.log.authlog.key file with the initial key in binary mode and the ./authkey0 file with that key translated to ascii, the hash method used to generate the key is rmd160; you should memorice the contents of ./authkey0 file and rm(1) it.
- Edit syslog.conf(5) file and enable peo output module with something like this:
auth.info %classic /var/log/authlog %peo -m rmd160 -l -k /var/ssyslog/.var.log.authlog.key
- Inform new changes on syslog.conf(5) to syslogd(8):
kill -HUP cat /var/run/syslog.pid
- When you believe that someone owned your machine you can:
peochk -m rmd160 -f /var/log/authlog -i mykey
the contents of mykey should be the same as ./authkey0 generated in step 1; with the command above you can verify that the file was (or not) corrupted (it is important not to forget the -m option because the default used is sha1 and the keys generated was using rmd160 ).
syslog.conf(5), om_peo(8), syslogd(8)
Submit bugs at this projects Sourceforge Bug reporting system at: http://sourceforge.net/tracker/?func=add&group_id=25741&atid=385117 You may also report them directly to the authors; send an email to email@example.com, describing the problem the most you can, containing also machine description, hardware description, the configuration file (/usr/local/etc/syslog.conf), the OS description, and the invoking command line. The more you describe the bug, the faster we can fix it.