GnuPG programs RBAC policies
Posted: Mon Feb 06, 2017 12:09 pm
I actually started this three-posts topic, by now already prepared, for this thread on GnuPG mailing list (the title is not of my making):
? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?
https://lists.gnupg.org/pipermail/gnupg ... 57582.html
but very quickly I turned these into topic for Grsecurity Forums.
The first post shows just the simple method that I used to issue a few "gpg --recv-key" commands.
The second decribes, to some extent (this topic is primarily about RBAC policy), the issue that I had with some keys.
The third post contains the actual policies.
title: GnuPG programs RBAC policies
---
I don't yet have a smartcard or such, and so I use a USB stick, not to keep my ~/.gnupg/ directory with my secret key available when I'm online.
I use grsecurity-hardened kernel (the only way to save Linux from Linus, IMO), and I had issues with the Gradm (grsecurity administration), which, while it is a breeze to configure it, everybody says, in respect to how hard the configuration of the NSA Linux, sorry SELinux, is, it's still hard for not-so-advanced.
And upon the first configuration (called learning, actually done after automatic actual learning of the grsecurity itself on the actual machine), I was still getting "... denied ..." errors, like:
So more Gradm learning was due.
I made a list of some people' public keys, from Mutt users mailing list, Gentoo users ML, GnuPG mailing list, and set off to perfom more of the usual tasks so the system would know how to set up the policies.
It all took longer, but here are the final steps, because I'm curious about why two particular keys wouldn't be received the standard way like all the other keys from the list.
This list below is one line longer than the final list that the output, and the log below pertain to (no 3F533109A9509B14 line):
$ cat recv-keys.ls-1
So with this command (just a simple bash loop), I got the following output (I only replaced the actual domains with "some.domain" string for protection), --just without the first line--:
$ for i in $(cat recv-keys.ls-1); do gpg --recv-key $i ; done ;
That is the clean receiving upon successful reconfiguration of my /etc/grsec/policy, and issuing of the usual "gradm -E".
What I got in the logs for that event (thanks to exec_logging, and audit_chdir, being enabled) is:
I only cut the lines where the only real difference was in the key being processed, and those lines are essentially the same as the immediately previous and the immediately following lines.
The issue, in the next post.
? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?
https://lists.gnupg.org/pipermail/gnupg ... 57582.html
but very quickly I turned these into topic for Grsecurity Forums.
The first post shows just the simple method that I used to issue a few "gpg --recv-key" commands.
The second decribes, to some extent (this topic is primarily about RBAC policy), the issue that I had with some keys.
The third post contains the actual policies.
title: GnuPG programs RBAC policies
---
I don't yet have a smartcard or such, and so I use a USB stick, not to keep my ~/.gnupg/ directory with my secret key available when I'm online.
I use grsecurity-hardened kernel (the only way to save Linux from Linus, IMO), and I had issues with the Gradm (grsecurity administration), which, while it is a breeze to configure it, everybody says, in respect to how hard the configuration of the NSA Linux, sorry SELinux, is, it's still hard for not-so-advanced.
And upon the first configuration (called learning, actually done after automatic actual learning of the grsecurity itself on the actual machine), I was still getting "... denied ..." errors, like:
- Code: Select all
Feb 4 23:06:01 g0n kernel: [22705.364175] grsec: (miro:U:/usr/bin/gpg2) denied open of /the-usb-mount/.gnupg/trustdb.gpg for reading writing by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb 4 23:06:01 g0n kernel: [22705.523478] grsec: (miro:U:/usr/bin/gpg2) denied connect() to the unix domain socket /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb 4 23:06:01 g0n kernel: [22705.523677] grsec: (miro:U:/usr/bin/gpg2) denied create of /the-usb-mount/.gnupg/.#lk0x00000004da6be8c0.g0n.6643 for writing by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb 4 23:06:01 g0n kernel: [22705.525387] grsec: (miro:U:/usr/bin/gpg2) denied connect() to the unix domain socket /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 03:14:02 g0n kernel: [37586.610995] grsec: (root:U:/etc/cron.daily) denied access to hidden file / by /usr/bin/gpg2[gpg:24341] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/rkhunter[rkhunter:24340] uid/euid:0/0 gid/egid:0/0
So more Gradm learning was due.
I made a list of some people' public keys, from Mutt users mailing list, Gentoo users ML, GnuPG mailing list, and set off to perfom more of the usual tasks so the system would know how to set up the policies.
It all took longer, but here are the final steps, because I'm curious about why two particular keys wouldn't be received the standard way like all the other keys from the list.
This list below is one line longer than the final list that the output, and the log below pertain to (no 3F533109A9509B14 line):
$ cat recv-keys.ls-1
- Code: Select all
3F533109A9509B14
8975A9B33AA37910385C5308ADEF768480316BDA
F16C6DC6A4078AFB
A5957FD8834573E2
943D25692DA0DAA497DF23BE47F55ECED035B287
92FEFDB7E44C32F9
4183F13493DF6F75
084509941B9789CE
ADEF768480316BDA
1C49C048DFBEAD02
9D106472D6D50DBA
AB35BA45F9995BB7
78930DB93043C26D
B3F351E09B93286F
So with this command (just a simple bash loop), I got the following output (I only replaced the actual domains with "some.domain" string for protection), --just without the first line--:
$ for i in $(cat recv-keys.ls-1); do gpg --recv-key $i ; done ;
- Code: Select all
gpg: key ADEF768480316BDA: public key "Kevin J. McCarthy kevin@some.domain" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: key F16C6DC6A4078AFB: public key "Patrice Levesque plevesque@some.domain" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: key A5957FD8834573E2: public key "Michelle Konzack (Primary EMail) michelle.konzack@some.domain" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: key 47F55ECED035B287: public key "Anton (ubernauten) therojam@some.domain" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: key 92FEFDB7E44C32F9: public key "Simon Ruderich simon@some.domain" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: key 04562BC18DEFE336: public key "Thibaut Marty thibaut.marty@some.domain" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: key 084509941B9789CE: public key "georg@some.domain georg@some-other.domain" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: key ADEF768480316BDA: "Kevin J. McCarthy kevin@some.domain" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: key 1C49C048DFBEAD02: public key "Derek D. Martin ddm@some.domain" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: key 9D106472D6D50DBA: public key "Thomas Glanzmann thomas@some.domain" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: key AB35BA45F9995BB7: public key "Richard Zidlicky (key-2014) rz@some.domain" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: key 78930DB93043C26D: public key "Ken Moffat (ntlworld address) zarniwhoop@some.domain" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: key B3F351E09B93286F: public key "Mark H. Wood (Journeyman Wizard) mwood@some.domain" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
$
That is the clean receiving upon successful reconfiguration of my /etc/grsec/policy, and issuing of the usual "gradm -E".
What I got in the logs for that event (thanks to exec_logging, and audit_chdir, being enabled) is:
- Code: Select all
Feb 5 22:46:27 g0n kernel: [53769.242600] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat recv-keys.ls-1 ) by /bin/cat[bash:32045] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:27 g0n kernel: [53769.245711] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key 8975A9B33AA37910385C5308ADEF768480316BDA ) by /usr/bin/gpg2[bash:32046] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:27 g0n kernel: [53769.249680] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:32047] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:32046] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:27 g0n kernel: [53769.250708] grsec: (miro:U:/usr/bin/dirmngr) exec of /usr/bin/dirmngr (dirmngr --daemon --homedir /home/miro/.gnupg ) by /usr/bin/dirmngr[gpg:32048] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 5 22:46:27 g0n kernel: [53769.256276] grsec: (miro:U:/usr/bin/dirmngr) chdir to / by /usr/bin/dirmngr[dirmngr:32049] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/dirmngr[dirmngr:32048] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:28 g0n kernel: [53770.251897] grsec: more alerts, logging disabled for 10 seconds
Feb 5 22:46:43 g0n kernel: [53785.309854] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:32051] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:32046] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:43 g0n kernel: [53785.310417] grsec: (miro:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/miro/.gnupg --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:32052] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 5 22:46:43 g0n kernel: [53785.312676] grsec: (miro:U:/usr/bin/gpg-agent) chdir to / by /usr/bin/gpg-agent[gpg-agent:32055] uid/euid:1000/1000 gid/egid:1000/1000, parent /[gpg-agent:32052] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:44 g0n kernel: [53786.314737] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key F16C6DC6A4078AFB ) by /usr/bin/gpg2[bash:32057] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:44 g0n kernel: [53786.318225] grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr[conn fd=5:32058] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 5 22:46:45 g0n kernel: [53787.033760] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key A5957FD8834573E2 ) by /usr/bin/gpg2[bash:32060] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb 5 22:46:45 g0n kernel: [53787.041870] grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr[conn fd=5:32061] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 5 22:46:46 g0n kernel: [53787.790592] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key 943D25692DA0DAA497DF23BE47F55ECED035B287 ) by /usr/bin/gpg2[bash:32063] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
...[11 lines cut]...
Feb 5 22:46:51 g0n kernel: [53793.569630] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key B3F351E09B93286F ) by /usr/bin/gpg2[bash:32089] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
I only cut the lines where the only real difference was in the key being processed, and those lines are essentially the same as the immediately previous and the immediately following lines.
The issue, in the next post.