Ubuntu – OSSEC user accounts disabled

ossecSecurityuser-managementusers

I have recently installed OSSEC (2.8.1), and during the installation I noticed that it created some extra user accounts. But when viewing those user accounts in my System Settings > User Accounts settings I noticed that all of those accounts created by OSSEC are disabled, should I enable? If not, what do they do if they are disabled, and what would be the purpose of having them?

Here is what the new user accounts that it created are called (they are all Standard user accounts):

  • ossecr

  • ossecm

  • ossec

OS Information:

Description:    Ubuntu 14.10
Release:    14.10

Best Answer

Those users are users created for OSSEC and you should not change them. They are disabled because you need not see them and need not use them. Very simple: this software locks down these users so a normal user can not mess with them. If someone knows your admin password and gets access you are in deep problems anyeways and a normal user can not change these users settings. So the integrity of the checks OSSEC wants to perform can be sort of guaranteed.

The makefile has a lot of settings that include the users you mention and a couple of groups. Default is:

User settings:
OSSEC_GROUP:     ossec
OSSEC_USER:      ossec
OSSEC_USER_MAIL: ossecm
OSSEC_USER_REM:  ossecr

If you look at the daemon it explains parts of the users:

ossec-agentd

ossec-agentd is the client side daemon that communicates with the server. It runs as ossec and is chrooted to /var/ossec by default.

  • Main point here is "chrooted": to prevent someone messing with the ossec user and being able to circumvent the checks OSSEC wants to perform it is disabled by default.

Same applies for ossecm:

ossec-maild

The ossec-maild daemon sends OSSEC alerts via email. ossec-maild is started by ossec-control. Configuration for ossec-maild is handled in the ossec.conf. (see ossec.conf: Global options)

  • The default user used for the mail checks is ossecm.

Same applies for ossecr:

ossec-remoted

ossec-remoted is the server side daemon that communicates with the agents. It can listen to port 1514/udp (for OSSEC communications) and/or 514 (for syslog). It runs as ossecr and is chrooted to /var/ossec by default. ossec-remoted is configured in the section of ossec.conf. (see ossec.conf: Remote Options)

Their documentation is pretty decent. Have a look at the manual, FAQ and user cookbooks.

In general: I would take software to scan for root kits and intrusion detection as is. These pieces of software should have the security tied down as much as possible.

Related Question