Title
#general
Guillaume

Guillaume

10/12/2021, 2:50 PM
Is anyone using osquery to track anything related to local GPG keys? For example, in an environment with OpenPGP cards or Yubikeys, track that no private keys can be found in the standard locations? Maybe with Augeas. Just a use case I thought of this weekend while playing with gpg…
z

Zach Zeid

10/12/2021, 3:02 PM
Not running in production, but I've definitely used
augeas
to look at the authorized_keys file before. fwiw, iirc, yubikey's store the private keys on the yubikey itself, so it may be difficult to glean those
Guillaume

Guillaume

10/12/2021, 3:59 PM
Yeah, I'm interested in finding them on the laptop. The idea being, if you're using the yubikey as intended I should never find a private key on your laptop 😃
z

Zach Zeid

10/12/2021, 4:02 PM
augeas
might get you there, though it's effectiveness depends on the way the contents are formatted. irrc,
augeas
likes INI-type files
s

seph

10/12/2021, 4:02 PM
We do something like for ssh keys.
4:03 PM
Broadly speaking, I think it’s hard to exhaustively search disk. (This point is not universally agreed on). So if you can limit the search space, I think it’s fairly achievable.
Guillaume

Guillaume

10/12/2021, 4:06 PM
Yeah I'm not looking for exhaustive search, though a custom table using gpg would be great, just looking for accidental “oops I generated keys on the laptops” kind of mistakes
s

seph

10/12/2021, 6:16 PM
I could imagine crawling the obvious places in user homedirs and checking that.
6:16 PM
I haven’t written the code, so I can’t guess how easy/hard it is
z

Zach Zeid

10/12/2021, 6:18 PM
yeah I think this is something complex enough in the implementation that you write rules that trend more towards operator error and less on malicious actors. In that case you could just monitor common directories where keys could be, not necessarily where malicious actors could hide keys
Guillaume

Guillaume

10/12/2021, 11:19 PM
Yep 100% for accidental and non malicious policy violation
11:19 PM
Just like catching unencrypted ssh keys for example