Configure Wazuh to send alerts when an alert is triggered.
SMTP
Create an AWS IAM user with the following permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "arn:aws:ses:REGION:ACCOUNT_ID:identity/IDENTITY"
}
]
}
Replace REGION, ACCOUNT_ID, and IDENTITY
Generate the SMTP Password
import hmac
import hashlib
import base64
import argparse
SMTP_REGIONS = [
'us-east-2', # US East (Ohio)
'us-east-1', # US East (N. Virginia)
'us-west-2', # US West (Oregon)
'ap-south-1', # Asia Pacific (Mumbai)
'ap-northeast-2', # Asia Pacific (Seoul)
'ap-southeast-1', # Asia Pacific (Singapore)
'ap-southeast-2', # Asia Pacific (Sydney)
'ap-northeast-1', # Asia Pacific (Tokyo)
'ca-central-1', # Canada (Central)
'eu-central-1', # Europe (Frankfurt)
'eu-west-1', # Europe (Ireland)
'eu-west-2', # Europe (London)
'sa-east-1', # South America (Sao Paulo)
'us-gov-west-1', # AWS GovCloud (US)
]
# These values are required to calculate the signature. Do not change them.
DATE = "11111111"
SERVICE = "ses"
MESSAGE = "SendRawEmail"
TERMINAL = "aws4_request"
VERSION = 0x04
def sign(key, msg):
return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
def calculate_key(secret_access_key, region):
if region not in SMTP_REGIONS:
raise ValueError(f"The {region} Region doesn't have an SMTP endpoint.")
signature = sign(("AWS4" + secret_access_key).encode('utf-8'), DATE)
signature = sign(signature, region)
signature = sign(signature, SERVICE)
signature = sign(signature, TERMINAL)
signature = sign(signature, MESSAGE)
signature_and_version = bytes([VERSION]) + signature
smtp_password = base64.b64encode(signature_and_version)
return smtp_password.decode('utf-8')
def main():
parser = argparse.ArgumentParser(
description='Convert a Secret Access Key to an SMTP password.')
parser.add_argument(
'secret', help='The Secret Access Key to convert.')
parser.add_argument(
'region',
help='The AWS Region where the SMTP password will be used.',
choices=SMTP_REGIONS)
args = parser.parse_args()
print(calculate_key(args.secret, args.region))
if __name__ == '__main__':
main()
python3 path/to/smtp_credentials_generate.py AWS_SECRET_KEY REGION
Update the IAM key for postfix
Update the file /etc/postfix/sasl_passwd
with
[email-smtp.us-west-2.amazonaws.com]:587 <AWS KEY ID>:<SMTP_PASSWORD>
postmap hash:/etc/postfix/sasl_passwd
systemctl restart postfix
Wazuh Email Notification
Merge the following into the ossec.conf
file of the manager.
<ossec_config>
<global>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>[email protected]</email_from>
<email_to>[email protected]</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
</ossec_config>
Verify Functionality
Send a test email for validate functionality.
sendmail -f [email protected] [email protected] < /root/ses.test