Auditing

S

Software Info

Hi All,
I am running FreeBSD 13.1 and it serves as an OpenVPN server. I am finding that a file keeps being modified and I would love to know which service/process is doing it. Is there a way to audit a particular file or is there some other way to trace this? Thanks in advance for any assistance.
 
I am really liking my firewalls tripwire.
Code: 
root@x9srl:/home/firewall # tripwire -m c
Parsing policy file: /usr/local/etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/db/tripwire/report/x9srl-20220529-171838.twr


Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            Sun May 29 17:18:38 2022
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    x9srl
Host IP address:              Unknown IP
Host ID:                      None
Policy file used:             /usr/local/etc/tripwire/tw.pol
Configuration file used:      /usr/local/etc/tripwire/tw.cfg
Database file used:           /var/db/tripwire/x9srl.twd
Command line used:            tripwire -m c

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Tripwire config                 100               0        0        0      
* megarouter config               100               0        0        1      
* Root config files               100               0        0        1      

Total objects scanned:  39
Total violations found:  2

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: megarouter config (/etc/pf.conf)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/pf.conf"
 
I tend to not worry about keeping the database archive. I re-init every so often instead.
tripwire --init
Code: 
root@x9srl:/home/firewall # tripwire --init
Please enter your local passphrase:
Parsing policy file: /usr/local/etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/db/tripwire/x9srl.twd
The database was successfully generated.
Each report I run get saved to disk so I have that archive instead of a database.
Just in case I need to rewind things for further review.
I have been playing with my firewall rules as you can see. 6 months later and still tuning.
 
You might be able to find this with a long-running dtrace(1): dtrace -n 'syscall:freebsd:open:entry { printf("%s[%d] %s",execname,pid,copyinstr(arg0)); } syscall:freebsd:openat:entry { printf("%s[%d] %s",execname,pid,copyinstr(arg1)); }' | grep filename.ext. Replace filename.ext with the exact name of the respective file.
 
You must log in or register to reply here.
Back
Top