My bad, I think these integrity errors mainly happen because I'm not restarting ossec i.e. ossec-control stop and start.
On Sep 28, 5:59 pm, AlgoBoy <[email protected]> wrote: > OSSEC HIDS Notification. > 2011 Sep 22 09:15:57 > > Received From: ip-10-251-134-240->syscheck > Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd > time)." > Portion of the log(s): > > Integrity checksum changed for: '/etc/motd' > Old md5sum was: 'dcf4d83bef51a84bbe48b9b5a38b60fe' > New md5sum is : 'c7bafef836545ad7dd22420ef72426dd' > Old sha1sum was: '6ad7cfd6e6d4e3e0240703656ba76562cc404318' > New sha1sum is : 'b5a6bae623ecf99e140de7550d15b62f59c2fd7c' > > On Sep 28, 5:28 pm, "dan (ddp)" <[email protected]> wrote: > > > > > > > > > On Wed, Sep 28, 2011 at 6:37 AM, AlgoBoy <[email protected]> wrote: > > > I found in my /etc/passwd file that there are three "extra" users that > > > cannot login but are listed. > > > > ossec > > > This is the ossec user. ossec-analysisd runs as this user (in a chroot > > to /var/ossec (by default, you may have chosen something different > > during installation)). This helps prevent (possible) flaws in > > ossec-analysisd from leading to root compromise. > > > > ossecm > > > This is the ossec output user. Originally it was responsible for only > > the ossec-maild, hence the m. Now it's responsible for ossec-dbd and > > ossec-csyslogd as well. > > > > ossecr > > > This is for ossec-remoted. > > > Here's it is in a nutshell: > > > ossecm 22761 /var/ossec/bin/ossec-dbd > > ossecm 1782 /var/ossec/bin/ossec-csyslogd > > root 20565 /var/ossec/bin/ossec-execd > > ossec 1365 /var/ossec/bin/ossec-analysisd > > root 24076 /var/ossec/bin/ossec-logcollector (ossec-logcollect) > > ossecr 29685 /var/ossec/bin/ossec-remoted > > > > What are these for? I know they are attached to the Ossec HIDs > > > software but can anyone explain what these users are for? I think they > > > might be the reason I keep getting checksum rule fires from Ossec > > > itself. > > > No, they most likely are not the reason. Which files are changing?
