How to Encrypt OSSEC Email Alerts

ossec-hids

 

 

You can use procmail to encrypt the email alerts that are send by OSSEC. This article explains one of the many ways how you can obtain this.

I did this by using the following:

  • Ubuntu 12.04 LTS
  • procmail
  • postfix
  • OSSEC
  • gnupg
  • Another SMTP server

First, edit your OSSEC configuration at /var/ossec/etc/ossec.conf to tell it to send mails to the root account on the localhost.

<global>
    <email_notification>yes</email_notification>
    <email_to>root@localhost</email_to>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>ossec@localhost</email_from>
  </global>

Then, let the alarms forward to the OSSEC account by changing the aliases:

echo "root: ossec" >> /etc/aliases
postalias /etc/aliases

Tell postfix to use procmail as LDA (Local Delivery Agent):

vim /etc/postfix/main.cf

Insert this on the first line:

mailbox_command = /usr/bin/procmail

Your postfix configuration need to look similar to this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
mailbox_command = /usr/bin/procmail

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

myhostname =
myorigin = $myhostname
mydestination = hostname localhost
relayhost = smtp.example.com
relay_domains =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all

Reload postfix:

postfix reload

Import the public PGP key and assign the right permissions to the .gnupg directory:

gpg --homedir /var/ossec/.gnupg --import pubkey.asc
chmod -R 700 /var/ossec/.gnupg
chown -R ossec:root /var/ossec/.gnupg

Create a procmail recipe:

vim /var/ossec/.procmailrc
VERBOSE=yes
MAILDIR=/var/mail/
DEFAULT=$MAILDIR
LOGFILE=/var/log/procmail.log

SUBJECT=`formail -xSubject:`
:0 c
*^To:.*root.*
|/var/ossec/sent_encrypted_alarm.sh

Create a script that encrypts the mails:

vim /var/ossec/sent_encrypted_alarm.sh
#!/bin/bash

/usr/bin/formail -I "" | /usr/bin/gpg --homedir /var/ossec/.gnupg --trust-model always -ear "john@example.com" | /usr/bin/mail -s "$SUBJECT" john@example.com

Give it execute permissions and the right owner:

chmod +x /var/ossec/sent_encrypted_alarm.sh
chown ossec:root /var/ossec/sent_encrypted_alarm.sh

Create the procmail log file, and give it the good permissions and owner:

touch /var/log/procmail.log
chmod 660 /var/log/procmail.log
chown ossec:root /var/log/procmail.log

This should work. If it doesn’t, check /var/log/mail.log and /var/log/procmail.log.
References