The Linux Page

tripwire --init not saving the database

Beetle — tripwire includes a bug!

Error: File seek failed

I ran in a problem with tripwire, it did not want to generate the <hostname>.twd file under /var/lib/tripwire. You know that the file is missing because you receive emails (reports) by tripwire that the file is missing.

I could see that because it reports, once a day, whether tripwire ran sucessfully or not. It was not and the main error was: the tripwire database does exist which is actually shown as:

### Error: File could not be opened.
### Filename: /var/lib/tripwire/<hostname>.twd
### No such file or directory
### Exiting...

That, in itself, looks easy to fix. So I ran tripwire --init and voià!

sudo tripwire --init

As usual, it prints a few errors and ignored them.

The next day, same error! The database file is still missing!!! I checked again and sure enough the file was not there. So I re-ran the --init command and this time I looked closer at the errors. Got one that broke the process and thus tripwire would not save anything:

Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /var/lib/tripwire/<hostname>.twd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /etc/rc.boot
### No such file or directory
### Continuing...
### Error: File seek failed.
### Filename: /root/backup/some-file.tar.gz
### Success
### Exiting...

Now, as you can see tripwire is being funny here: it tells me "Success". But the truth is that the "Error: File seek failed" prevents the saving of the database. This happens because the file named


is more than 2Gb (maybe 4Gb?) For sure, it is not capable of dealing with very large files. Our file was 22.5Gb and somehow the seek command failed on tripwire.

Our solution was simply to move that file. We did not actually need that file to be checked by tripwire anyway. It just ended up "in the wrong place". After that, the database was properly getting created. By the way, when the database file is created, you get a message like this:

Wrote database file: /var/lib/tripwire/jc.twd
The database was successfully generated.

Until then, the ### Success is a lie!

Tripwire Crashing (18.04)

At times, tripwire crashes on initialization. It happened to me a while back and I did not make a note of it. It happened again when I switched to 18.04 from 16.04. I changed computers so I did not copy the files, I just setup a brand new setup.

Here are the errors that tripwire generated:

The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/pts" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.

The fact is that the software tries to ignore those errors but apparently it enters a state which makes it crash before the initialization is done and as a result you do not get the <hostname>.key file which is required to then check the changes on a daily basis.

The software, at that point, must be doing something wrong such as trying to access a pointer which is still NULL. Anyway, there is an easy way to fix the problem (a work around) which is to comment out the failing directories. Actually I completely commented out the /proc and /dev directories.

sudo vim /etc/tripwire/twpol.txt

Search for the section with /dev and /proc and comment it out completely like so:

# Critical devices
#  rulename = "Devices & Kernel information",
#  severity = $(SIG_HI),
#       /dev            -> $(Device) ;
#       #/proc          -> $(Device) ;

Since we changed the twpol.txt file, we have to re-process the file as follow:

cd /etc/tripwire/
sudo twadmin --create-polfile --cfgfile tw.cfg \
                       --site-keyfile site.key twpol.txt

The command will ask you for your secret to use the key you created at the time tripwire was installed. It takes a moment and then you can attempt the initialization again:

sudo tripwire --init

This time, it shouldn't crash.

Tripwire Still Crashing (20.04)

I now have 20.04 and tripwire crashes again.

They mentioned editing the configuration file setting a variable to false:


This worked for me.

Don't forget to run twadmin as mentioned by Philip in a comment:

twadmin --create-cfgfile \
        --site-keyfile /etc/tripwire/site.key \

It looks, though, that doesn't help much for everyone... Another solution (which I did not yet try) is to recompile from the source.

Tripwire Crashing in 22.04

According to a comment on launchpad about tripwire crashes in 22.04, the package comes straight from Unstable Debian instead of being recompiled for Ubuntu 22.04.

Recompiling locally from source would fixes and the user who posted that comment actually created a PPA with the working version. So you can install his version instead.

Bug report:

PPA with recompiled version for Ubuntu 22.04:

To just get the .deb you can download it from here:

I verified that the source was indeed exactly the same and it was.

Building Own Version

There are instructions on Ask Ubuntu on how to build from source:

$ apt-get source package
$ sudo apt-get build-dep package
$ dch -i
$ debuild -us -uc -b
$ sudo dpkg -i ../package.deb

The dch command is used to edit the changelog. This is not a required step. You can install your newly compiled version over the existing version when directly using dpkg. It is actually a good idea not to change the version if you want to continute to receive new updates automatically (and thus know when you have to recompile a version if such arise).

The build-dep is a step that allows for downloading all the dependencies necessary to build this version of tripwire. However, that did not work correctly for me. If you look at the files from Xu Zhen, who recompiled this for 22.04, he made edits to the deian/... files. So there are incompatible things in the default source.

The tripwire code itself, though, was not modified at all.

Re: tripwire --init not saving the database

It's probably worth mentioning that in 20.04 adding to the cfg means

twadmin --create-cfgfile --site-keyfile site.key twcfg.txt

and then running the policy again and probably an init (that's a guess, I'm on a fresh install after years on 16.04 where it ran day in and day out).

But thank you anyway, without your article I wouldn't have a snowball's chance in hell. I believe I arrived here through google and the /etc/rc.boot error.

Thank you