[ossec-list] Re: Integrity Checks and Diffs?

["Marty E. Hillman" <mehillman@xxxxxxxxxxxx>]

-----Original Message-----

David Vasil wrote:

>Marty E. Hillman wrote:
>> That brings up a good idea for future enhancement: the ability to gpg

>> encrypt email so that information is not clear text.  An attacker
with 
>> access to the internal network could theoretically poison the arp 
>> cache and intercept packets corresponding to any such reporting email

>> at present.  The log would remain intact, but the alert could be
prevented.
>
>Wouldnt this require the OSSEC daemon to have access to a passwordless
gpg private key to encrypt the message?  >I guess you could argue that
if someone breaks into your OSSEC management host you have bigger things
to worry >about than a compromised passwordless gpg key.
>
>--
>-dave

Let me know if this sounds feasible.

I suppose one *could* use the forwarded pipe function of ssh to forward
the mail across a secure pipe to the mail server.  This would keep it
encrypted within the tunnel.  Just install Cygwin with ssh on the
Exchange server (assuming a mostly Micro$oft network like mine).  On the
OSSEC machine,

	ssh  user@xxxxxxxxxxxx  -L 25:mailserver.mynetwork.com:25

This should redirect all port 25 traffic to the corresponding SMTP port
on the server.  Just email at localhost.

Setting up Cygwin to tunnel -
http://pigtail.net/LRP/printsrv/cygwin-sshd.html




This electronic mail (including any attachments) may contain information that 
is privileged, confidential, and/or otherwise protected from disclosure to 
anyone other than its intended recipient(s). Any dissemination or use of this 
electronic email or its contents (including any attachments) by persons other 
than the intended recipient(s) is strictly prohibited. If you have received 
this message in error, please notify us immediately by reply email so that we 
may correct our internal records. Please then delete the original message 
(including any attachments) in its entirety. Thank you.