Hello, all. I'm running Debian 4 and OSSEC 1.3. I'm getting alerts about cron jobs where user "root" switches to "nobody". I've searched the archives and I know this is a known issue but I wanted to confirm the preferred solution.
As far as I can tell, what's triggering the alert isn't root doing a su. Rather, it's rule 40101 in attack_rules.xml which is noting that a system user--in this case, "nobody"--has logged in. The list of system users is given just before the rule definition. The expectation is that system users should never log in. The task that's triggering this alert is the "find" task that calls "updatedb". One solution would be to run the task as "root" rather than "nobody". Another solution would be to run the task as some special-purpose user--say, "find"--that is created just for this purpose. Neither solution seems particularly ideal. In the first case a task is running with, presumably, more rights than it needs. In the second case the intent of the rule--to signal that a user who isn't meant to log in logged in--is being bypassed. (It's very nearly the same thing as removing "nobody" from the list of system users.) I was wondering if there were other ideas, or opinions on these two particular ideas? Thanks, Michael.
