[prev in list] [next in list] [prev in thread] [next in thread]
List: trousers-tech
Subject: Re: [TrouSerS-tech] TPM auditing
From: "Kent Yoder" <shpedoikal () gmail ! com>
Date: 2007-12-06 20:24:14
Message-ID: 499d6ed30712061224i1dd5c126v6fe15b939b461af7 () mail ! gmail ! com
[Download RAW message or body]
Hi Matt,
Sure, I'd be happy to accept an audit patch. We need to get the IMA
folks on board as well, so we can align how we'd audit things internal
to trousers with what we'd audit in IMA. If you'd like to send a
patch, just include a signed-off-by: line agreeing to our Developer's
Certificate of Origin: http://trousers.sourceforge.net/dco.text.
>
> > Hal Finney wrote:
> > > The one technical comment I can make is that the TPM device driver
> > > just sees a stream of bytes going to and coming from the device. It
> > > would not be in a position to log any of these events without trying
> > > to parse these bytes and in effect simulate the TPM to some degree. So
> > > that would be a much more difficult place to insert auditing commands.
Yep, we'll need to do the auditing somewhere above the DD for
exactly this reason.
> > I think for things like remote attestation requests that is certainly
> > true. From what I've seen so far an audit event like that needs to
> > happen in tcsd in order to have the most value. Especially when it
> > comes down to knowing things like the auid of the user which requested
> > the action.
From the tcsd's point of view, all its requests are anonymous. It
can tell if the request is remote or local, but knows nothing about
the process making the request (such as the uid). So we may need some
auditing in the TSP.
> > >> I have been experimenting with the TPM on some of my test systems and
> > >> have so far come up with this list of possible events that could be
> > >> interesting from a OS auditing perspective:
> > >>
> > >> * Taking Ownership
> > >> * Clearing Ownership
> > >> * Dis/Enabling the TPM
> > >> * Dis/Activating the TPM
> > >> * Recording PCR values at tcsd startup
> > >> * Adjustments to PCR values
It may not be possible to audit PCR changes exactly in the order
they were made (if this matters).
Kent
> > >> * Remote attestation connections/commands and their results
> > >> * Requests of the Public Endorsement Key (EK)
> > >> * Adjustments to the access controls on the EK
> > >> * Creating/Destroying the EK
> > >> * Changes to the TPM locked status (set/reset)
> > >>
> > >> That list is in no way intended to be exhaustive, so suggestions are
> > >> welcome. So far it seems like most of these would be audited from
> tcsd,
> > >> but perhaps some of them make more sense to be audited from within the
> > >> tpm device driver. What do you think?
> > >>
> > >> -matt
> > >>
> > >>
> > >>
> > >> Kent Yoder wrote:
> > >>> Hi Matt,
> > >>>
> > >>> Yes, this feature was for support of Audit as implemented by the
> TSS
> > >>> and TPM. We have no plans to add support for Linux auditing.
> > >>>
> > >>> Kent
> > >>>
> > >>> On Dec 3, 2007 12:32 PM, Matt Anderson <mra@hp.com> wrote:
> > >>>> Looking at the TSS 1.2 work list I saw Audit was listed as an item
> and
> > >>>> that Tom Lendacky had the features in CVS. From what I've seen in
> the
> > >>>> code this seems to be internal TSS auditing as opposed to work to
> > >>>> integrate with Linux's light weight audit framework
> > >>>> http://people.redhat.com/sgrubb/audit/ is that correct? Is anyone
>
>
> > >>>> currently working on adding that integration?
> > >>>>
> > >>>> -matt
> > >>>>
> > >>>>
> -------------------------------------------------------------------------
> > >>>> SF.Net email is sponsored by: The Future of Linux Business White
> Paper
> > >>>> from Novell. From the desktop to the data center, Linux is going
> > >>>> mainstream. Let it simplify your IT future.
> > >>>> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
>
>
> > >>>> _______________________________________________
> > >>>> TrouSerS-tech mailing list
> > >>>> TrouSerS-tech@lists.sourceforge.net
> > >>>> https://lists.sourceforge.net/lists/listinfo/trousers-tech
> > >>>>
> > >>>
> > >>>
> > >>
> > >>
> -------------------------------------------------------------------------
> > >> SF.Net email is sponsored by: The Future of Linux Business White Paper
> > >> from Novell. From the desktop to the data center, Linux is going
> > >> mainstream. Let it simplify your IT future.
> > >> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> > >> _______________________________________________
> > >> TrouSerS-tech mailing list
> > >> TrouSerS-tech@lists.sourceforge.net
> > >> https://lists.sourceforge.net/lists/listinfo/trousers-tech
> > >>
> >
> >
> > -------------------------------------------------------------------------
> > SF.Net email is sponsored by: The Future of Linux Business White Paper
> > from Novell. From the desktop to the data center, Linux is going
> > mainstream. Let it simplify your IT future.
> > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> > _______________________________________________
> > TrouSerS-tech mailing list
> > TrouSerS-tech@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/trousers-tech
>
--
Kent Yoder
IBM LTC Security Dev.
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
TrouSerS-tech mailing list
TrouSerS-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-tech
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic