Hi Peter, These three users allow the ossec processes to be executed with limited privileges and chrooted to directories to ensure the highest privileges separation that would allow them to fulfill their function. Depending on the specific CIS benchmark you are running, and the policy which is warning about this the rational may vary, but for example on the Distribution Independent Benchmark version 2.0.0 policy 6.2.9: "Ensure users own their home directories" will complain because /var/ossec is the folder for these three system users but the folder is owned by root. The rationale for this check is that each user should be accountable for the files in their home directory, however, given that root privileges are necessary for enacting changes within these folders, the policy may be ignored. Let me know if this answers your question, if not let us know which is the policy that is being triggered.
Best Regards, Sandra On Wednesday, August 26, 2020 at 4:11:07 AM UTC+2 Peter wrote: > I also posted this question in Reddit > > When we run a CIS policy scan on a Linux server running Ossec, it > complains that the three users ossec, ossecm, ossecr all share the home > directory /var/ossec. > > Does anyone have a recommendation on the importance of this finding, > whether it is OK to ignore, or possible to remediate? > > I realize you may need more context to make a recommendation, but if not, > please do. > > > thanks > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c92ca25e-e8e3-4a30-8c12-638c94155a27n%40googlegroups.com.