Is anyone using osquery to track anything related to local G

Question

Is anyone using osquery to track anything related to local GPG keys For example in an environment with OpenPGP cards or Yubikeys track that no private keys can be found in the standard locations Maybe with Augeas Just a use case I thought of this weekend while playing with gpg

Zach Zeid · Answer

Not running in production but I ve definitely used `augeas` to look at the authorized keys file before fwiw iirc yubikey s store the private keys on the yubikey itself so it may be difficult to glean those

Guillaume · Answer

Yeah I m interested in finding them on the laptop The idea being if you re using the yubikey as intended I should never find a private key on your laptop

Zach Zeid · Answer

`augeas` might get you there though it s effectiveness depends on the way the contents are formatted irrc `augeas` likes INI type files

seph · Answer

We do something like for ssh keys

seph · Answer

Broadly speaking I think it s hard to exhaustively search disk This point is not universally agreed on So if you can limit the search space I think it s fairly achievable

Guillaume · Answer

Yeah I m not looking for exhaustive search though a custom table using gpg would be great just looking for accidental oops I generated keys on the laptops kind of mistakes

seph · Answer

I could imagine crawling the obvious places in user homedirs and checking that

seph · Answer

I haven t written the code so I can t guess how easy hard it is

Zach Zeid · Answer

yeah I think this is something complex enough in the implementation that you write rules that trend more towards operator error and less on malicious actors In that case you could just monitor common directories where keys could be not necessarily where malicious actors could hide keys

Guillaume · Answer

Yep 100 for accidental and non malicious policy violation

Guillaume · Answer

Just like catching unencrypted ssh keys for example