macker wrote: > Hey folks, > > I'm new to the list, im macker. Hello, Macker. Welcome to the list. You'll find this to be a friendly place.
> 1) user accounts: ossec requires 3 seperate user accounts and 1 group > account. Due to my internal linux patch management system, it would be > preferrable not to need 3 sperate user accounts. Is there a way to have > it run as 1 user account, or is that lowering the security/segregation > of duty, etc? It may be possible, but it's not recommended. OSSEC does this as a matter of proper privilege separation between the daemons. This reduces the chance of a remote exploit leading to a full compromise. It is designed to be secure by default and any changes would have to be weighed very carefully. > 3) Anyone have success/horror stories I should be aware about with this > amount of servers? Perhaps helpful advice, lessons learned. This amount of servers is no problem for OSSEC. It can handle a load like this with very minimal hardware. My advice would be to implement with a slow, methodical approach. Tune as you go. You don't want to be bombarded with alerts and start to mentally tune them out.
