# Auditing



## Software Info (May 28, 2022)

Hi All,
I am running FreeBSD 13.1 and it serves as an OpenVPN server. I am finding that a file keeps being modified and I would love to know which service/process is doing it. Is there a way to audit a particular file or is there some other way to trace this? Thanks in advance for any assistance.


----------



## sidetone (May 29, 2022)

Type `ls -l` from relevant directories to see the last modified timestamp of the files in question.

You can try security/tripwire. Also, look at Thread tutorial-intrusion-detection-using-tripwire.56813


----------



## Phishfry (May 29, 2022)

I am really liking my firewalls tripwire.

```
root@x9srl:/home/firewall # tripwire -m c
Parsing policy file: /usr/local/etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/db/tripwire/report/x9srl-20220529-171838.twr


Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            Sun May 29 17:18:38 2022
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    x9srl
Host IP address:              Unknown IP
Host ID:                      None
Policy file used:             /usr/local/etc/tripwire/tw.pol
Configuration file used:      /usr/local/etc/tripwire/tw.cfg
Database file used:           /var/db/tripwire/x9srl.twd
Command line used:            tripwire -m c

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Tripwire config                 100               0        0        0      
* megarouter config               100               0        0        1      
* Root config files               100               0        0        1      

Total objects scanned:  39
Total violations found:  2

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: megarouter config (/etc/pf.conf)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/pf.conf"
```


----------



## Phishfry (May 29, 2022)

I tend to not worry about keeping the database archive. I re-init every so often instead.
`tripwire --init`

```
root@x9srl:/home/firewall # tripwire --init
Please enter your local passphrase:
Parsing policy file: /usr/local/etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/db/tripwire/x9srl.twd
The database was successfully generated.
```
Each report I run get saved to disk so I have that archive instead of a database.
Just in case I need to rewind things for further review.
I have been playing with my firewall rules as you can see. 6 months later and still tuning.


----------



## Phishfry (May 30, 2022)

Software Info said:


> love to know which service/process is doing it.


Tripwire won't help you here. It is just a checksummer.

Basically, It creates database of preferred files with a checksum.
You run a report to check if the preferred files have been modified.


----------



## Bobi B. (May 30, 2022)

You might be able to find this with a long-running dtrace(1): `dtrace -n 'syscall:freebsd:open:entry { printf("%s[%d] %s",execname,pid,copyinstr(arg0)); } syscall:freebsd:openat:entry { printf("%s[%d] %s",execname,pid,copyinstr(arg1)); }' | grep filename.ext`. Replace `filename.ext` with the exact name of the respective file.


----------



## Software Info (Oct 2, 2022)

Thanks very much. Will give dtrace a whirl.


----------



## darmokandjalad (Oct 2, 2022)

+1 for dtrace, as it's good for one-off troubleshooting like this. Else, I'd recommend the built-in auditing daemon auditd(8), described in Chapter 17 of the Handbook.


----------

