Month: February 2018

Creating, Updating Expiration of and Posting PGP Keys

Posted on by rchapin

Following are my notes and how-tos on creating, and managing PGP keys.

Here is a link to a website with some very good information and best practices for managing keys.

Most of this article deals with the concept of setting an expiration date on a set of keys to a reasonable time and how you can update that key as time goes by.  You should set a reminder in whatever calendar system you are using to remind you to update the expiration date BEFORE it does actually expire a couple of weeks ahead of time.  I typically set my keys to expire in 13 months and set my calendar to remind me after 12 or so months.

Creating a key set and distributing your public key

As mentioned, and when prompted, set a reasonable expiration time.  Also create a revocation cert.  See the aforementioned link for details.

Create a key

gpg2 --gen-key

List keys

gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

Distribute Public Key (use hkps, encrypted connection)

gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8

Searching for keys and verifying that they have been posted to a public keyserver

List your keys

gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

The public key for this user is E5170CE8.  The 4096R indicates that it is 4096 bits.

Searching for the key

To search for the key via a key server such as https://pgp.mit.edu/ enter the following in the search string

0xE5170CE8

Make sure to prefix the hex value of the key with 0x to indicate to the keyserver that is a hex value and not an ASCII string.

Update the expiration date of a key:

List your keys

gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

Edit the key

gpg2 --edit-key E5170CE8

Select the key to edit, and then run the expire command

Select the amount of time after which the key will expire and follow the prompts to enter your passphrase.

gpg> key 0
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 13m
Key expires at Thu 14 Mar 2019 08:42:22 AM EDT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Ryan Chapin <rchapin@nbinteractive.com>"
4096-bit RSA key, ID E5170CE8, created 2015-03-26

Select the sub-key (1) and repeat the process

Save the key

gpg> save

Send the updated key to a keyserver

gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8

Or you can export an ASCII-armored PGP key and upload it via a trusted https keyserver.

 gpg2 --armor --export <your-email-address> > <your-uid>.asc

Then you can upload it via a web interface similar to this one.

How To Compile and Install New SELinux Plicy Modules

Posted on by rchapin

Following is a quick how-to on compiling and adding addition SELinux modules.

When configuring and deploying new and/or custom services on systems that are enforcing SELinux you will likely have to compile addition SELinux modules.

This how-to includes how to go through each step of compiling a new module one-by-one; similar to the model of breaking down the compilation of C and C++ into it’s composite steps.

Step 1:  Gather the audit.log entries

You will need to determine which action(s) that SELinux is blocking.  To do so, you can tail the /var/log/audit/audit.log file.  You will see something similar to the following

type=AVC msg=audit(1517605342.101:88032): avc:  denied  { write } for  pid=7236 comm="check_zookeeper" path="/tmp/sh-thd-1517587323" dev="dm-0" ino=308042 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1517605342.101:88032): arch=c000003e syscall=2 success=no exit=-13 a0=1e2df10 a1=2c1 a2=180 a3=0 items=0 ppid=7232 pid=7236 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="check_zookeeper" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=PROCTITLE msg=audit(1517605342.101:88032): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F6E6167696F732F706C7567696E732F636865636B5F7A6F6F6B65657065722E7368002D2D73746174

Take that output and save it into a file.

Step 2: Generate the Type Enforcement (te) File From the Log Output

audit2allow -m new-module > new-module.te < audit-log-output

Step 3:  Check and Compile the SELinux Security Policy Module (mod) File From the .te File

checkmodule -M -m -o new-module.mod new-module.te

Step 4:  Create the SELinux Policy Module Packet (pp) File From the .mod File

semodule_package -o new-module.pp -m new-module.mod

Step 5:  Install the SELinux Policy Module

semodule -i new-module.pp

© 2005 Ryan Chapin