Steve Grubb wrote: > On Thursday 03 January 2008 14:22:45 Matt Anderson wrote: >> Has anyone in this community begun looking at what TPM events are >> interesting from an audit perspective? > > Not that I know of. No one has contacted me for event types. Are there any > standards that define what is supposed to be audited?
The Trusted Computing Group spec 1.2 allow for auditing events that the TPM processes, but it only says that the owner should be able to set which events get audited and which shouldn't, suggesting "There will be a very limited number of audited commands, most likely those commands that provide identities and control of the TPM. Commands such as unseal would not be audited, they would use the logging functions of a transport session." Other than that spec I am unaware of other standards that might be applicable. I will investigate that further, but if anyone can think of any please let me know. -matt -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
