Skip to content

Commit

Permalink
modify ossec alert script and iptables for signal-cli
Browse files Browse the repository at this point in the history 
- Conditional firewall rules in rules_v4 template will provide dns and outbound communication required for the postfix user under which java/signal-cli will run
- Conditional in `send_encrypted_alarm.sh` will dual-route alerts to signal
  • Loading branch information
@emkll
emkll committed Mar 1, 2018
1 parent be98661 commit 8381f84
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
6 changes: 6 additions & 0 deletions install_files/ansible-base/roles/ossec/templates/send_encrypted_alarm.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ function send_encrypted_alert() {
echo "${encrypted_alert_text}" | \
/usr/bin/mail -s "$(echo "${SUBJECT}" | sed -r 's/([0-9]{1,3}\.){3}[0-9]{1,3}\s?//g' )" '{{ ossec_alert_email }}'
fi

#check for signal cli and send alert to number
if [[ -x "$(command -v signal-cli)" ]]; then
/usr/local/bin/signal-cli --config /etc/signal -u '{{ signal_number }}' send -m "${ossec_alert_text}" '{{ signal_destination_number }}'

This comment has been minimized.

Sign in to view

Copy link
@redshiftzero

redshiftzero Apr 2, 2018

Contributor

Thought I'm dropping here while I'm reviewing this but recommend you hold off on implementing until we have some of the hard dependencies in #3182 addressed: there is a beefy email header in the OSSEC alerts that we should strip off when sending a Signal message. The only useful part of the header is the subject e.g this has the alert level, this I would preserve. Otherwise the information is either not useful, or is contained in the message body, e.g. the content of the message already contains the date and time of the OSSEC notification.
fi

}

# Failover alerting function, in case the primary function failed.
Expand Down
12 changes: 12 additions & 0 deletions install_files/ansible-base/roles/restrict-direct-access/templates/rules_v4
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,18 @@
# postfix rule for outbound smtp
-A OUTPUT -p tcp --dport {{ smtp_relay_port }} -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out"
-A INPUT -p tcp --sport {{ smtp_relay_port }} -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out"

{% if signal_notifications is defined and signal_notifications %}
# Signal-cli iptables rules
# dns rule
-A OUTPUT -d {{ dns_server }} -p tcp --dport 53 -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "signal-cli dns rule"
-A OUTPUT -d {{ dns_server }} -p udp --dport 53 -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "signal-cli dns rule"

# outbound rules for signal-cli
-A OUTPUT -p tcp --dport 443 -m owner --uid-owner postfix -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow signal-cli messages outbound" -j ACCEPT
-A INPUT -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow signal-cli responses inbound"
{% endif %}

{% endif %}


Expand Down

0 comments on commit 8381f84

Please sign in to comment.