Auditing the TPM
Matt Anderson
mra at hp.com
Thu Jan 3 23:22:39 UTC 2008
Steve Grubb wrote:
> On Thursday 03 January 2008 14:22:45 Matt Anderson wrote:
>> Has anyone in this community begun looking at what TPM events are
>> interesting from an audit perspective?
>
> Not that I know of. No one has contacted me for event types. Are there any
> standards that define what is supposed to be audited?
The Trusted Computing Group spec 1.2 allow for auditing events that the
TPM processes, but it only says that the owner should be able to set
which events get audited and which shouldn't, suggesting "There will be
a very limited number of audited commands, most likely those commands
that provide identities and control of the TPM. Commands such as unseal
would not be audited, they would use the logging functions of a
transport session."
Other than that spec I am unaware of other standards that might be
applicable. I will investigate that further, but if anyone can think of
any please let me know.
-matt
More information about the Linux-audit
mailing list