Service Audit Logs
Each operation that occurs on a Luna Cloud HSM Service is recorded in the Data Protection on Demand (DPoD) log system. Luna Cloud HSM Service audit logs are available through the DPoD Audit Query API. Luna Cloud HSM Services generate the use case specific source, resourceid, actorid, action, status, and meta audit log values. This document provides details on the Luna Cloud HSM Service audit log values.
Luna Cloud HSM Service users can generate audit log files and retrieve signed URLs for access to the audit log files using the DPoD Audit Query API. See the DPoD Audit Query API documentation for more information about common audit log values and using the Audit Query API.
Caution
Audit logs are supported for Luna Cloud HSM Services using client version 10.2 or newer.
Note
Luna Cloud HSM Service audit logs log data every second. As a result, multi-part operations where multiple commands are run during the same second may display out of order in the audit log file.
source
The source of the audit log is the Luna Cloud HSM Service partition. Luna Cloud HSM Service audit logs return the source value thales/cloudhsm/<partitionID>.
resourceid
The resourceid is the serviceid of the Luna Cloud HSM Service. You can use GET /v1/service_instances to list your service ids. See List Provisioned Services in Using the API for more information.
actorid
The actorid is the clientID of the Luna Cloud HSM Client who took the action on the Luna Cloud HSM Service partition. You can use GET /v1/service_instances/{serviceid}/bindings to list the client ids for a service. See the DPoD Platform API and Using the API for more information. The clientId is also available in the REST section of the client chrystoki.conf file.
action
A short code describing the action taken on the service. The following is a complete list of actions which are recorded by the audit log system:
| Action | Description |
|---|---|
| LUNA_CANCEL_CRYPTO_OPERATION | Cancels the crypto operation. |
| LUNA_CLONE_AS_SOURCE | Clones an object from the source token. |
| LUNA_CLONE_AS_TARGET | Clones an object to the target token. |
| LUNA_CLONE_AS_TARGET_INIT | Initializes cloning an object to the target token. |
| LUNA_CLONE_CONFIGURE_POLICY | Enables and disables cloning cipher suites. |
| LUNA_CLONE_GET_POLICY | Used to query the status and the names of all cloning cipher suites. |
| LUNA_CREATE_OBJECT | Creates an object. |
| LUNA_DECRYPT | Decrypts encrypted data. |
| LUNA_DECRYPT_END | Finishes a decryption operation. |
| LUNA_DECRYPT_INIT | Initializes a decryption operation. |
| LUNA_DECRYPT_SINGLEPART | Decrypts encrypted single-part data. |
| LUNA_DERIVE_KEY | Derives a key from a base key. |
| LUNA_DERIVE_KEY_AND_WRAP | Derives a key from a base key and wraps (encrypt) the key. |
| LUNA_DESTROY_OBJECT | Destroys an object. |
| LUNA_DIGEST | Digests single-part data. |
| LUNA_DIGEST_END | Finishes a multiple-part digesting operation. |
| LUNA_DIGEST_INIT | Initializes a message-digesting operation. |
| LUNA_DIGEST_KEY | Digests a key. |
| LUNA_DIGEST_KEY_VALUE | Digests a key value. |
| LUNA_ENCRYPT | Encrypts data. |
| LUNA_ENCRYPT_END | Finishes a multiple-part encryption operation. |
| LUNA_ENCRYPT_INIT | Initializes a multiple-part encryption operation. |
| LUNA_ENCRYPT_SINGLEPART | Encrypts single-part data. |
| LUNA_GENERATE_DOMAIN_PARAM | Generated domain parameters. |
| LUNA_GENERATE_KEY | Generates a secret key. |
| LUNA_GENERATE_KEY_PAIR | Generates a public-key/private-key pair. |
| LUNA_GEN_KCV | Generate a key check sum value. |
| LUNA_INIT_PIN | Initializes the users PIN. |
| LUNA_LOGIN | Logs in to a token. |
| LUNA_MODIFY_OBJECT | Updates an object. |
| LUNA_PARTITION_INIT | Initializes the HSM partition. |
| LUNA_PARTITION_ZEROIZE | Zeroize the HSM partition. |
| LUNA_REPLICATE_AS_SOURCE | Replicate an object from the source token. |
| LUNA_REPLICATE_AS_TARGET | Replicate an object to the target token. |
| LUNA_REPLICATE_AS_TARGET_INIT | Initializes replicating an object to the target token. |
| LUNA_SET_PIN | Modifies the PIN of the current user. |
| LUNA_SIGN | Signs data. |
| LUNA_SIGN_END | Finishes a multi-part sign operation. |
| LUNA_SIGN_INIT | Initializes a multi-part sign operation. |
| LUNA_SIGN_SINGLEPART | Signs single-part data. |
| LUNA_UNWRAP_KEY | Unwraps a key. |
| LUNA_VERIFY | Verifies a signature on data. |
| LUNA_VERIFY_END | Finishes a multi-part verification operation. |
| LUNA_VERIFY_INIT | Initializes a multi-part verification operation. |
| LUNA_VERIFY_SINGLEPART | Verifies a signature on single-part data. |
| LUNA_WRAP_KEY | Wraps a key. |
status
The outcome of the action taken on the service. If the action is successful the audit log status value will return:
"status": "LUNA_RET_OK"
See Cryptographic Module and Token Return Codes for more information.
meta
The meta section of a Luna Cloud HSM Service audit log includes values for:
- clientip - the egress IP address of the client who initiated the action.
- hsmid - the serial number of the HSM where the action took place.
- ouids - the object identifier of the target of the action. This value may be null.
- partid - the serial number of the partition where the action took place.
- role - the lunacm user short code (PO, CO, CU) of the role who initiated the action. If there is no authentication associated with the action then the role value will be public.
The following is an example of a Luna Cloud HSM Service audit log meta section.
"meta":
"{
\"clientip\":\"XX.XXX.XXX.XXX\",
\"hsmid\":\"XXXXXX\",
\"ouids\":\"XXXXXXXXXXXX",
\"partid\":\"XXXXXXXXXXXXX\",
\"role\":\"CO\"
}"
