Those users are users created for OSSEC and you should not change them. They are disabled because you need not see them and need not use them. Very simple: this software locks down these users so a normal user can not mess with them. If someone knows your admin password and gets access you are in deep problems anyeways and a normal user can not change these users settings. So the integrity of the checks OSSEC wants to perform can be sort of guaranteed.
The makefile has a lot of settings that include the users you mention and a couple of groups. Default is:
User settings:
OSSEC_GROUP: ossec
OSSEC_USER: ossec
OSSEC_USER_MAIL: ossecm
OSSEC_USER_REM: ossecr
If you look at the daemon it explains parts of the users:
ossec-agentd
ossec-agentd is the client side daemon that communicates
with the server. It runs as ossec and is chrooted to /var/ossec by
default.
- Main point here is "chrooted": to prevent someone messing with the ossec user and being able to circumvent the checks OSSEC wants to perform it is disabled by default.
Same applies for ossecm:
ossec-maild
The ossec-maild daemon sends OSSEC alerts via email. ossec-maild is started by ossec-control. Configuration for ossec-maild is handled in the ossec.conf. (see ossec.conf: Global options)
- The default user used for the mail checks is ossecm.
Same applies for ossecr:
ossec-remoted
ossec-remoted is the server side daemon that communicates with the agents. It can listen to port 1514/udp (for OSSEC communications) and/or 514 (for syslog). It runs as ossecr and is chrooted to /var/ossec by default. ossec-remoted is configured in the section of ossec.conf. (see ossec.conf: Remote Options)
Their documentation is pretty decent. Have a look at the manual, FAQ and user cookbooks.
In general: I would take software to scan for root kits and intrusion detection as is. These pieces of software should have the security tied down as much as possible.
