Software Inventory

Software Identification Tags

A Software Inventory consists of all software packages currently installed on an endpoint and is usually described using ISO/IEC 19770-2:2015 SWID Tags of the form:

Example of a Software Identification (SWID) Tag
<SoftwareIdentity xmlns=""
   name="bash" xml:lang="en-US" tagId="Ubuntu_20.04-x86_64-bash-5.0-6ubuntu1.1"
   version="5.0-6ubuntu1.1" versionScheme="alphanumeric">
  <Entity name="strongSwan Project" regid="" role="tagCreator"/>
  <Meta product="Ubuntu 20.04 x86_64"/>
  <Payload n8060:pathSeparator="/" n8060:envVarPrefix="$" n8060:envVarSuffix="">
    <Directory root="/" name="bin">
      <File name="bash" size="1183448"
      <File name="rbash" size="1183448"
    <Directory root="/" name="etc">
      <File name="bash.bashrc" n8060:mutable="true" size="2319"

The SWID tag shown above describes version 5.0-6ubuntu1.1 of the Ubuntu 20.04 software package bash for the x86_64 architecture. The tag optionally contains SHA-2 file hashes that can be used as reference values for remote attestation. The unique tag identifier is Ubuntu_20.04-x86_64-bash-5.0-6ubuntu1.1. For more details on SWID tags see NISTIR 8060.

Software Inventory Attributes

The Software Inventory Message and Attributes (SWIMA) for PA-TNC (RFC 8412) standard is an extension of RFC 5792 and defines in the IETF namespace a new SWIMA Attributes PA-TNC message subtype and the following new PA-TNC attributes

- SWIMA Request
- Software Inventory
- Software Identifier Inventory
- Software Events
- Software Identifier Events
- Subscription Status Request
- Subscription Status Response
- Source Metadata Request
- Source Metadata Response

By sending a SWIMA Request attribute, a SWIMA IMV can request from a SWIMA IMC either a complete Software Inventory consisting of SWID tags or a more compact Software Identifier Inventory made of the tag identifiers, only. Alternatively Software Events or Software Identifier Events can be requested. It is also possible to establish Subscriptions which obliges a SWIMA IMC to immediately send changes in the Software Inventory or new Software Events to the SWIMA IMV as soon as they occur.

Software Inventory Client

There are two ways how the strongSwan Software Inventory Client functionality can be used to determine the current state of the software inventory on an endpoint:

  • Collocated with a strongSwan VPN client (Network Access Requestor) running a charon daemon that communicates over IKEv2 EAP (PT-EAP).

  • The stand-alone pt-tls-client communicating over TLS (PT-TLS).

In both cases the SWIMA IMC is required to manage the software inventory measurements on the TNC client.

Software Inventory Server

There are two ways how the strongSwan Software Inventory Server functionality can can be used to manage the software inventory of associated endpoints:

  • Collocated with a strongSwan VPN gateway (Policy Enforcement Point) running a charon daemon that communicates over IKEv2 EAP (PT-EAP).

  • A stand-alone strongSwan Policy Decision Point (PDP) based on a skeleton charon daemon with the tnc-pdp plugin communicating either over TLS (PT-TLS) or RADIUS (IF-PEP).

In both cases the SWIMA IMV is required to manage the software inventory measurements on the TNC server.

strongTNC Software Inventory Database

Software Tag ID Policy

In order to collect Software Identifiers of all software packages installed on the associated enpoints, we define a SWID Tag IDs policy enforcement for the Default group in the strongTNC policy manager tool.

Software Tag ID Policy
Figure 1. SWID Tag IDs Policy Enforcement for the Default Group

Software Identifier Collection

When the TNC Client connects to the home network for the first time the current state of the Software Inventory in the form of Software Events is requested

Software ID Collection Report
Figure 2. Successful Collection of Software Identifier Inventory

We see that currently 176 software packages are installed on the TNC Client endpoint. When we click on the Most recent session we see the session details

Software ID Collection Session
Figure 3. Software ID Collection Session

In the session 395 Software Identifier Events and 111 SWID Tags were collected.

Software Events View

When we scroll down in the device report for the TNC Client, we see a list of collected Software Events.

Software Events
Figure 4. Software Events

These Software Events are time-stamped. Let’s select the ones from Feb 17 02:18:54 2021

Software Event Details
Figure 5. Software Event Details

The event details show the update of the three Ubuntu 20.04 packages apt, base-files and bash on Feb 17 02:18:54 2021.

SWID Tag View

When we click on the Ubuntu_20.04-x86_64-bash-5.0-6ubuntu1.1 tag ID of the freshly installed bash package, we see the details of its SWID tag

Ubuntu 20.04 bash SWID Tag
Figure 6. SWID Tag Details of Version 5.0-6ubuntu1.1 of the Ubuntu 20.04 bash Package

When we press the blue button the raw XML-encoded SWID tag is shown

Ubuntu 20.04 raw bash SWID Tag
Figure 7. Raw XML-encoded SWID Tag of the Ubuntu 20.04 bash Package

File Information View

Each SWID tag contains a complete list of the files contained in the software packages including the path where the file is going to be installed in the file system of the endpoint. When we click on the /bin/bash file we see the file details

Details of the /bin/bash File
Figure 8. Details of the /bin/bash File

We see that the SHA-256 hash of the file has been extracted from the SWID tag and can be used as a reference value for Remote Attestation.

Package View

When we click on the bash package name we see what versions of this package have been registered up to now

Details of the /bin/bash File
Figure 9. Details of the /bin/bash File

Security Updates

The sec-updater tool is periodically run to get security updates from the Debian, Ubuntu and Raspian websites. After such a security update the device report of the TNC Client shows the that 25 vulnerable software packages have been detected

Device Report after Security Updater Run
Figure 10. Device Report after Security Updater Run

At the bottom of the device report the versions of the vulnerable software packages that are installed on the device are listed

Vulnerable Software Package Versions
Figure 11. Vulnerable Software Package Versions

Updated Package Information

The sec-updater tool automatically generates SWID tags for the updated software package that fix a vulnerability. Thus due to the following bash vulnerability the Ubuntu 20.04 package has been updated

Vulnerable bash Package Versions
Figure 12. Vulnerable bash Package Versions

Of course the SHA-2 file hashes of the updated software package are also available

Updated /bin/bash File Hashes
Figure 13. Updated /bin/bash File Hashes