Is anyone using osquery to track anything related to local GPG keys? For example, in an environment with OpenPGP cards or Yubikeys, track that no private keys can be found in the standard locations? Maybe with Augeas. Just a use case I thought of this weekend while playing with gpg…

Not running in production, but I've definitely used

augeas

to look at the authorized_keys file before. fwiw, iirc, yubikey's store the private keys on the yubikey itself, so it may be difficult to glean those

Yeah, I'm interested in finding them on the laptop. The idea being, if you're using the yubikey as intended I should never find a private key on your laptop :)

augeas

might get you there, though it's effectiveness depends on the way the contents are formatted. irrc,

augeas

likes INI-type files

We do something like for ssh keys.

Yeah I'm not looking for exhaustive search, though a custom table using gpg would be great, just looking for accidental “oops I generated keys on the laptops” kind of mistakes

I could imagine crawling the obvious places in user homedirs and checking that.

yeah I think this is something complex enough in the implementation that you write rules that trend more towards operator error and less on malicious actors. In that case you could just monitor common directories where keys could be, not necessarily where malicious actors could hide keys

Yep 100% for accidental and non malicious policy violation