I have recently installed OSSEC (2.8.1), and during the installation I noticed that it created some extra user accounts. But when viewing those user accounts in my System Settings > User Accounts
settings I noticed that all of those accounts created by OSSEC are disabled, should I enable? If not, what do they do if they are disabled, and what would be the purpose of having them?
Here is what the new user accounts that it created are called (they are all Standard user accounts):
-
ossecr
-
ossecm
-
ossec
OS Information:
Description: Ubuntu 14.10
Release: 14.10
Best Answer
Those users are users created for OSSEC and you should not change them. They are disabled because you need not see them and need not use them. Very simple: this software locks down these users so a normal user can not mess with them. If someone knows your admin password and gets access you are in deep problems anyeways and a normal user can not change these users settings. So the integrity of the checks OSSEC wants to perform can be sort of guaranteed.
The makefile has a lot of settings that include the users you mention and a couple of groups. Default is:
If you look at the daemon it explains parts of the users:
Same applies for ossecm:
Same applies for ossecr:
Their documentation is pretty decent. Have a look at the manual, FAQ and user cookbooks.
In general: I would take software to scan for root kits and intrusion detection as is. These pieces of software should have the security tied down as much as possible.