Welcome to my website. I am always posting links to photo albums, art, technology and other creations. Everything that you will see on my numerous personal sites is powered by the formVistaTM Website Management Engine.

icon.linkedin.jpgicon.twitter.jpg

  • Creating, Updating Expiration of and Posting PGP Keys
    02/17/2018 8:10AM
    Following are some of my notes and how-tos on creating, and managing PGP keys.

    Here is a link to a website with some very good information and best practices for managing keys:
    https://help.riseup.net/en/security/message-security/openpgp/best-practices

    Most of this article deals with the concept of setting a expiration date on a set of keys to a reasonable time and how you can update that key as time goes by.  Separate to the creation and publishing of your public key, you should set a reminder in whatever calendar system you are using to remind you to update the expiration date BEFORE it does actually expire a couple of weeks ahead of time.  I typically set my keys to expire in 13 months and set my calendar to remind me after 12 or so months.

    1) Creating a key set and distributing your public key:

    As mentioned, and when prompted, set a reasonable expiration time.  Also create a revocation cert.  See the aforementioned link for details.

    - To create a key:
    $ gpg2 --gen-key

    - List keys:
    $ gpg2 --list-keys
    /data/home/rchapin/.gnupg/pubring.gpg
    -------------------------------------
    pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
    uid                  Ryan Chapin <rchapin@nbinteractive.com>
    sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

    - Distribute Public Key (use hkps, encrypted connection)
    $ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8


    2) Searching for keys and verifying that they have been posted to a public keyserver:

    - List your keys
    $ gpg2 --list-keys
    /data/home/rchapin/.gnupg/pubring.gpg
    -------------------------------------
    pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
    uid                  Ryan Chapin <rchapin@nbinteractive.com>
    sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

    The public key for this user is E5170CE8.  The 4096R indicates that it is 4096 bits.

    - Searching for the key:
    To search for the key via a key server such as https://pgp.mit.edu/ enter the following in the search string

      0xE5170CE8

    Make sure to prefix the hex value of the key with 0x to indicate to the keyserver that is a hex value and not an ASCII string.


    3) Update the expiration date of a key:

    - List the keys:

    - List your keys
    $ gpg2 --list-keys
    /data/home/rchapin/.gnupg/pubring.gpg
    -------------------------------------
    pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
    uid                  Ryan Chapin <rchapin@nbinteractive.com>
    sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

    - Edit the key:
    $ gpg2 --edit-key E5170CE8


    - Select the key to edit, and then run the expire command.  Select the amount of time afterwhich the key will expire and follow the prompts to enter your passphrase.

    gpg> key 0
    gpg> expire
    Changing expiration time for the primary key.
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 13m
    Key expires at Thu 14 Mar 2019 08:42:22 AM EDT
    Is this correct? (y/N) y

    You need a passphrase to unlock the secret key for
    user: "Ryan Chapin <rchapin@nbinteractive.com>"
    4096-bit RSA key, ID E5170CE8, created 2015-03-26


    - Select the sub-key (1) and repeat the process

    - Save the key
    gpg> save

    - Send the updated key to a keyserver
    $ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8
  • HowTo Compile and Install New SELinux Plicy Modules
    02/02/2018 4:31PM
    Following is a quick how-to on compiling and adding addition SELinux modules.

    When configuring and deploying new and/or custom services on systems that are enforcing SELinux you will likely have to compile addition SELinux modules.

    This how-to includes how to go through each step of compiling a new module one-by-one; similar to the model of breaking down the compilation of C and C++ into it's composite steps.

    Step 1:  Gather the audit.log entries

    You will need to determine which action(s) that SELinux is blocking.  To do so, you can tail the /var/log/audit/audit.log file.  You will see something similar to the following

    type=AVC msg=audit(1517605342.101:88032): avc:  denied  { write } for  pid=7236 comm="check_zookeeper" path="/tmp/sh-thd-1517587323" dev="dm-0" ino=308042 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
    type=SYSCALL msg=audit(1517605342.101:88032): arch=c000003e syscall=2 success=no exit=-13 a0=1e2df10 a1=2c1 a2=180 a3=0 items=0 ppid=7232 pid=7236 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="check_zookeeper" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
    type=PROCTITLE msg=audit(1517605342.101:88032): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F6E6167696F732F706C7567696E732F636865636B5F7A6F6F6B65657065722E7368002D2D73746174

    Take that output and save it into a file.


    Step 2: Generate the Type Enforcement (te) File From the Log Output

    audit2allow -m new-module > new-module.te < audit-log-output


    Step 3:  Check and Compile the SELinux Security Policy Module (mod) File From the .te File

    checkmodule -M -m -o new-module.mod new-module.te


    Step 4:  Create the SELinux Policy Module Packet (pp) File From the .mod File

    semodule_package -o new-module.pp -m new-module.mod


    Step 5:  Install the SELinux Policy Module

    semodule -i new-module.pp
Advanced Search

Categories

Archives