Steve Grubb wrote:
On Thursday 03 January 2008 14:22:45 Matt Anderson wrote:
> Has anyone in this community begun looking at what TPM events are
> interesting from an audit perspective?
Not that I know of. No one has contacted me for event types. Are there any
standards that define what is supposed to be audited?
The Trusted Computing Group spec 1.2 allow for auditing events that the
TPM processes, but it only says that the owner should be able to set
which events get audited and which shouldn't, suggesting "There will be
a very limited number of audited commands, most likely those commands
that provide identities and control of the TPM. Commands such as unseal
would not be audited, they would use the logging functions of a
transport session."
Other than that spec I am unaware of other standards that might be
applicable. I will investigate that further, but if anyone can think of
any please let me know.
-matt