Greetings. Are there automated methods for assessing TPM posture?
For example - verify TPM is: enabled, activated, contains a unique EK (i.e. tpm_getpubek is not reflective of known compliance vector fragments.)
( I apologize in advance if this question is off topic or common knowledge.)
Best Regards, Brent
ref oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdf scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdf scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdf csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdf cryptotronix.com/2014/08/28/compliance_mode/ THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
Hi Brent,
We're working on this right now in the SIMP project https://simp-project.com .
We will be providing a set of custom Facter facts to gather this information and report it back for automated configuration.
Thanks,
Trevor
On Fri, Jul 15, 2016 at 1:17 PM, Brent Kimberley Brent.Kimberley@durham.ca wrote:
Greetings. Are there automated methods for assessing TPM posture?
For example - verify TPM is: enabled, activated, contains a unique EK (i.e. tpm_getpubek is not reflective of known compliance vector fragments.)
( I apologize in advance if this question is off topic or common knowledge.)
Best Regards, Brent
ref oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdf
scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdf scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdf csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdf cryptotronix.com/2014/08/28/compliance_mode/ THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
Hi Trevor. Thanks. I will check it out.
Fyi. I found a couple references at scaprepo.com tracing to Windows 2012.
Eg. Oval:org.secpod.oval:def:38125. / cce-37631-9
However at first glance they did not appear to be very granular.
aside: l envisioned the following 'wag' acceptance strawman:
* dumping the state of (significant/ published/ relevant) TPM registers. * Dumping the state of any TPM relevant config items elements such as BOOT/init/OS/app/data/master-data . * Validating the dumped elements against TPM spec(s). * Computing generic statistics.;and, * 'optionally', computing specific statistics by validating the dumped elements against published errata.
From: Trevor Vaughan Sent: Wednesday, July 27, 2016 19:00 To: SCAP Security Guide Reply To: SCAP Security Guide Subject: Re: TPM posture inquiry
Hi Brent,
We're working on this right now in the SIMP project https://simp-project.com.
We will be providing a set of custom Facter facts to gather this information and report it back for automated configuration.
Thanks,
Trevor
On Fri, Jul 15, 2016 at 1:17 PM, Brent Kimberley <Brent.Kimberley@durham.camailto:Brent.Kimberley@durham.ca> wrote: Greetings. Are there automated methods for assessing TPM posture?
For example - verify TPM is: enabled, activated, contains a unique EK (i.e. tpm_getpubek is not reflective of known compliance vector fragments.)
( I apologize in advance if this question is off topic or common knowledge.)
Best Regards, Brent
ref oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdfhttp://oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdf scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdfhttp://scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdf scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdfhttp://scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdf csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdfhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdf cryptotronix.com/2014/08/28/compliance_mode/http://cryptotronix.com/2014/08/28/compliance_mode/ THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
How do you manage all the keys for all different devices?
Thanks,
Brett
From: Trevor Vaughan [mailto:tvaughan@onyxpoint.com] Sent: Wednesday, July 27, 2016 7:00 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: TPM posture inquiry
Hi Brent,
We're working on this right now in the SIMP project https://simp-project.com.
We will be providing a set of custom Facter facts to gather this information and report it back for automated configuration.
Thanks,
Trevor
On Fri, Jul 15, 2016 at 1:17 PM, Brent Kimberley <Brent.Kimberley@durham.camailto:Brent.Kimberley@durham.ca> wrote: Greetings. Are there automated methods for assessing TPM posture?
For example - verify TPM is: enabled, activated, contains a unique EK (i.e. tpm_getpubek is not reflective of known compliance vector fragments.)
( I apologize in advance if this question is off topic or common knowledge.)
Best Regards, Brent
ref oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdfhttp://oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdf scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdfhttp://scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdf scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdfhttp://scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdf csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdfhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdf cryptotronix.com/2014/08/28/compliance_mode/http://cryptotronix.com/2014/08/28/compliance_mode/ THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
Hi Brett. You may want to take a look at Owl CTI. ;-) http://www.owlcti.com/whitepapers/12-6_11-A-WP.pdf
From: PFROMMER, BRETT C [mailto:BRETT.PFROMMER@cbp.dhs.gov] Sent: Thursday, July 28, 2016 12:38 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: RE: TPM posture inquiry
How do you manage all the keys for all different devices?
Thanks,
Brett
From: Trevor Vaughan [mailto:tvaughan@onyxpoint.com] Sent: Wednesday, July 27, 2016 7:00 PM To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org> Subject: Re: TPM posture inquiry
Hi Brent,
We're working on this right now in the SIMP project https://simp-project.com.
We will be providing a set of custom Facter facts to gather this information and report it back for automated configuration.
Thanks,
Trevor
On Fri, Jul 15, 2016 at 1:17 PM, Brent Kimberley <Brent.Kimberley@durham.camailto:Brent.Kimberley@durham.ca> wrote: Greetings. Are there automated methods for assessing TPM posture?
For example - verify TPM is: enabled, activated, contains a unique EK (i.e. tpm_getpubek is not reflective of known compliance vector fragments.)
( I apologize in advance if this question is off topic or common knowledge.)
Best Regards, Brent
ref oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdfhttp://oval.mitre.org/community/docs/OVAL-and-TPM-06-14-2010.pdf scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdfhttp://scap.nist.gov/events/2011/saddsp/presentations/Charles_Schmidt-Trusted_Computing_in_OVAL.pdf scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdfhttp://scap.nist.gov/events/2012/itsac/presentations/day2/4Oct_1145am_Boyle.pdf csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdfhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2014.pdf cryptotronix.com/2014/08/28/compliance_mode/http://cryptotronix.com/2014/08/28/compliance_mode/ THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide@lists.fedorahosted.org