add additional details about OpenSSL-style keys

osquery · Apr 22, 2024 · 0939c0e · 0939c0e
1 parent 399bc10
commit 0939c0e
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/osquery/tables/system/ssh_keys.cpp b/osquery/tables/system/ssh_keys.cpp
@@ -57,6 +57,9 @@ bool isOpenSSHKeyEncrypted(const std::string& keys_content) {
 // if it's an openssh key.
 bool parsePrivateKey(const std::string& keys_content,
  int& key_type,
+ std::string& key_group_name,
+ std::string& key_length,
+ std::string& key_security_bits,
  bool& is_encrypted) {
  BIO* bio_stream = BIO_new(BIO_s_mem());
  auto const bio_stream_guard =
@@ -101,6 +104,17 @@ bool parsePrivateKey(const std::string& keys_content,
  return false;
  }
  key_type = EVP_PKEY_base_id(pkey);
+ key_length = std::to_string(EVP_PKEY_bits(pkey));
+ key_security_bits = std::to_string(EVP_PKEY_security_bits(pkey));
+ // openssl group names are all under 24 chars today, leave some extra room
+ char groupname[32];
+ size_t gname_len;
+ int status;
+ status =
+ EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &gname_len);
+ if (status) {
+ key_group_name.assign(groupname, gname_len);
+ }
  return true;
 }
 
@@ -153,15 +167,26 @@ void genSSHkeyForHosts(const std::string& uid,
  continue;
  }
  int key_type;
+ std::string key_group_name;
+ std::string key_length;
+ std::string key_security_bits;
  bool encrypted;
- bool parsed = parsePrivateKey(keys_content, key_type, encrypted);
+ bool parsed = parsePrivateKey(keys_content,
+ key_type,
+ key_group_name,
+ key_length,
+ key_security_bits,
+ encrypted);
  if (parsed) {
  Row r;
  r["pid_with_namespace"] = "0";
  r["uid"] = uid;
  r["path"] = kfile;
  r["encrypted"] = encrypted ? "1" : "0";
  r["key_type"] = keyTypeAsString(key_type);
+ r["key_group_name"] = key_group_name;
+ r["key_length"] = key_length;
+ r["key_security_bits"] = key_security_bits;
  results.push_back(r);
  }
  }

diff --git a/specs/user_ssh_keys.table b/specs/user_ssh_keys.table
@@ -6,6 +6,9 @@ schema([
  Column("path", TEXT, "Path to key file", index=True),
  Column("encrypted", INTEGER, "1 if key is encrypted, 0 otherwise"),
  Column("key_type", TEXT, "The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string."),
+ Column("key_group_name", TEXT, "The group of the private key. Supported for a subset of key_types implemented by OpenSSL"),
+ Column("key_length", INTEGER, "The cryptographic length of the cryptosystem to which the private key belongs, in bits. Definition of cryptographic length is specific to cryptosystem"),
+ Column("key_security_bits", INTEGER, "The number of security bits of the private key, bits of security as defined in NIST SP800-57"),
  ForeignKey(column="uid", table="users"),
 ])
 extended_schema(LINUX, [