OSSEC HIDS Notification. 2011 Sep 22 09:15:57 Received From: ip-10-251-134-240->syscheck Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)." Portion of the log(s):
Integrity checksum changed for: '/etc/motd' Old md5sum was: 'dcf4d83bef51a84bbe48b9b5a38b60fe' New md5sum is : 'c7bafef836545ad7dd22420ef72426dd' Old sha1sum was: '6ad7cfd6e6d4e3e0240703656ba76562cc404318' New sha1sum is : 'b5a6bae623ecf99e140de7550d15b62f59c2fd7c' On Sep 28, 5:28 pm, "dan (ddp)" <[email protected]> wrote: > On Wed, Sep 28, 2011 at 6:37 AM, AlgoBoy <[email protected]> wrote: > > I found in my /etc/passwd file that there are three "extra" users that > > cannot login but are listed. > > > ossec > > This is the ossec user. ossec-analysisd runs as this user (in a chroot > to /var/ossec (by default, you may have chosen something different > during installation)). This helps prevent (possible) flaws in > ossec-analysisd from leading to root compromise. > > > ossecm > > This is the ossec output user. Originally it was responsible for only > the ossec-maild, hence the m. Now it's responsible for ossec-dbd and > ossec-csyslogd as well. > > > ossecr > > This is for ossec-remoted. > > > > Here's it is in a nutshell: > > ossecm 22761 /var/ossec/bin/ossec-dbd > ossecm 1782 /var/ossec/bin/ossec-csyslogd > root 20565 /var/ossec/bin/ossec-execd > ossec 1365 /var/ossec/bin/ossec-analysisd > root 24076 /var/ossec/bin/ossec-logcollector (ossec-logcollect) > ossecr 29685 /var/ossec/bin/ossec-remoted > > > What are these for? I know they are attached to the Ossec HIDs > > software but can anyone explain what these users are for? I think they > > might be the reason I keep getting checksum rule fires from Ossec > > itself. > > No, they most likely are not the reason. Which files are changing?
