On Wed, Sep 28, 2011 at 6:37 AM, AlgoBoy <[email protected]> wrote: > I found in my /etc/passwd file that there are three "extra" users that > cannot login but are listed. > > ossec
This is the ossec user. ossec-analysisd runs as this user (in a chroot to /var/ossec (by default, you may have chosen something different during installation)). This helps prevent (possible) flaws in ossec-analysisd from leading to root compromise. > ossecm This is the ossec output user. Originally it was responsible for only the ossec-maild, hence the m. Now it's responsible for ossec-dbd and ossec-csyslogd as well. > ossecr This is for ossec-remoted. > Here's it is in a nutshell: ossecm 22761 /var/ossec/bin/ossec-dbd ossecm 1782 /var/ossec/bin/ossec-csyslogd root 20565 /var/ossec/bin/ossec-execd ossec 1365 /var/ossec/bin/ossec-analysisd root 24076 /var/ossec/bin/ossec-logcollector (ossec-logcollect) ossecr 29685 /var/ossec/bin/ossec-remoted > What are these for? I know they are attached to the Ossec HIDs > software but can anyone explain what these users are for? I think they > might be the reason I keep getting checksum rule fires from Ossec > itself. > No, they most likely are not the reason. Which files are changing?
