Friday, May 20, 2011

Encrypting OSSEC Alert Emails

OSSEC cannot currently encrypt alert emails before sending them out, and I do not think anyone is currently working on this feature. It can be accomplished, in a hacky, way using procmail.

First install an smtp server, procmail, and your encryption program on the manager. Next, create a user account to receive the OSSEC alert emails. Create a .procmailrc with the following contents:
PATH=/usr/bin:/usr/local/bin
SHELL=/bin/sh

:0 Bfbw
| gpg --armor -r 'gpg_name' --encrypt

:0 c
! final_email@example.com

:0
$DEFAULT
The above procmailrc assumes gpg is the encryption program. Replace gpg_name with the name used by the key you want to use, and final_email@example.com with the email address of the user receiving the alerts.

This user should have the public keys of any users that will be receiving the email. Try encrypting a dummy file to make sure there are no yes/no prompts when using gpg (you may need to sign the keys). Send a test email to this user account to test procmail. It should show up in final_email's account, encrypted.

Finally, configure OSSEC to send the alert emails to the local user:
<email_to>user@localhost</user>
<smtp_server>127.0.0.1</smtp_server>
OSSEC should email the user account, which will encrypt the body of the message using procmail, and forward it to final_email@example.com. Like I said, it's a bit hackish, but it should work.

This whole idea started from an email to the OSSEC users list asking if OSSEC can encrypt emails. Of course my answer was no. But the question triggered something in the back of my brain, so I started to look into procmail. A few weeks of procrastinations, a bunch of google searches, and a short testing period resulted in the above. Hopefully someone finds it useful.

If you happen to be a procmail expert and have any comments, please add them. The above is mostly from examples I found online, and I know it will match ALL email sent to that user. I imagine anyone using it for more than OSSEC could easily add a subject line check in it, I didn't think it was necessary for this example.

1 comment:

  1. Thanks for this article. I believe my post to the OSSEC user list was your inspiration and I will give this a try.

    ReplyDelete