Audit Log Categories and HSM Events
This section provides a summary of the audit log categories and their associated HSM events.
Partition Role IDs
If you are using a Luna Network HSM 7 with Luna HSM Firmware 7.7.0 or newer and Luna HSM Client 10.3.0 or newer, the HSM event log reports events with the following IDs assigned to each partition role:
Administrative Partition Role IDs
Partition Role | Role ID |
---|---|
Administrator |
0 |
HSM Security Officer |
1 |
Auditor | 8 |
Application Partition Role IDs
Partition Role | Role ID |
---|---|
Partition Security Officer |
1 |
Crypto Officer |
0 |
Limited Crypto Officer | 9 |
Crypto User | 5 |
HSM Access
HSM Event | Description |
---|---|
LUNA_LOGIN |
C_Login. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
LUNA_LOGOUT |
C_Logout. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
LUNA_LOGOUT_OTHER |
C_LogoutOther. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
LUNA_MODIFY_OBJECT | C_SetAttributeValue |
LUNA_OPEN_SESSION |
C_OpenSession. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
LUNA_CLOSE_ALL_SESSIONS | C_CloseAllSessions |
LUNA_CLOSE_SESSION |
C_CloseSession This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
LUNA_OPEN_ACCESS | CA_OpenApplicationID |
LUNA_CLEAN_ACCESS | CA_Restart, CA_RestartForContainer |
LUNA_CLOSE_ACCESS | CA_CloseApplicationID |
LUNA_LOAD_CUSTOM_MODULE | CA_LoadModule |
LUNA_LOAD_ENCRYPTED_CUSTOM_MODULE | CA_LoadEncryptedModule |
LUNA_UNLOAD_CUSTOM_MODULE | CA_UnloadModule |
LUNA_EXECUTE_CUSTOM_COMMAND | CA_PerformModuleCall |
LUNA_HA_LOGIN | CA_HAGetLoginChallenge, CA_HAAnswerLoginChallenge, CA_HALogin, CA_HAAnswerMofNChallenge, HAActivateMofN |
Log External
HSM Event | Description |
---|---|
LUNA_LOG_EXTERNAL | CA_LogExternal |
HSM Management
HSM Event | Description |
---|---|
LUNA_ZEROIZE |
CA_FactoryReset This event is logged unconditionally. |
LUNA_INIT_TOKEN |
C_InitToken This event is logged unconditionally. |
LUNA_SET_PIN | C_SetPIN |
LUNA_INIT_PIN | C_InitPIN |
LUNA_CREATE_CONTAINER | CA_CreateContainer |
LUNA_DELETE_CONTAINER | CA_DeleteContainer, CA_DeleteContainerWithHandle |
LUNA_SEED_RANDOM | C_SeedRandom |
LUNA_EXTRACT_CONTEXTS | C_GetOperationState |
LUNA_INSERT_CONTEXTS | C_SetOperationState |
LUNA_SELF_TEST | C_PerformSelfTest |
LUNA_LOAD_CERT | CA_SetTokenCertificateSignature |
LUNA_HA_INIT | CA_HAInit |
LUNA_SET_HSM_POLICY | CA_SetHSMPolicy |
LUNA_SET_DESTRUCTIVE_HSM_POLICY | CA_SetDestructiveHSMPolicy |
LUNA_SET_CONTAINER_POLICY | CA_SetContainerPolicy |
LUNA_SET_CAPABILITY | Internal, for capability update |
LUNA_CREATE_LOGIN_CHALLENGE | CA_CreateLoginChallenge |
LUNA_REQUEST_CHALLENGE | CA_SIMInsert, CA_SIMMultiSign |
LUNA_PED_INIT_RPV | CA_InitializeRemotePEDVector |
LUNA_PED_DELETE_RPV | CA_DeleteRemotePEDVector |
LUNA_MTK_LOCK | Internal, for manufacturing |
LUNA_MTK_UNLOCK_CHALLENGE | Internal, for manufacturing |
LUNA_MTK_UNLOCK_RESPONSE | Internal, for manufacturing |
LUNA_MTK_RESTORE | CA_MTKRestore |
LUNA_MTK_RESPLIT | CA_MTKResplit |
LUNA_MTK_ZEROIZE | CA_MTKZeroize |
LUNA_FW_UPGRADE_INIT | CA_FirmwareUpdate |
LUNA_FW_UPGRADE_UPDATE | CA_FirmwareUpdate |
LUNA_FW_UPGRADE_FINAL | CA_FirmwareUpdate |
LUNA_FW_ROLLBACK | CA_FirmwareRollback |
LUNA_MTK_SET_STORAGE | CA_MTKSetStorage |
LUNA_SET_CONTAINER_SIZE | CA_SetContainerSize |
Key Management
HSM Event | Description |
---|---|
LUNA_CREATE_OBJECT | C_CreateObject |
LUNA_COPY_OBJECT | C_CopyObject |
LUNA_DESTROY_OBJECT | C_DestroyObject |
LUNA_DESTROY_MULTIPLE_OBJECTS | CA_DestroyMultipleObjects |
LUNA_GENERATE_KEY | C_GenerateKey |
LUNA_GENERATE_KEY_PAIR | C_GenerateKeyPair |
LUNA_WRAP_KEY | C_WrapKey |
LUNA_UNWRAP_KEY | C_UnwrapKey |
LUNA_DERIVE_KEY | C_DeriveKey |
LUNA_GET_RANDOM | C_GenerateRandom |
LUNA_CLONE_AS_SOURCE, LUNA_REPLICATE_AS_SOURCE | CA_CloneAsSource |
LUNA_CLONE_AS_TARGET_INIT, LUNA_REPLICATE_AS_TARGET_INIT | CA_CloneAsTargetInit |
LUNA_CLONE_AS_TARGET, LUNA_REPLICATE_AS_TARGET | CA_CloneAsTarget |
LUNA_GEN_TKN_KEYS | CA_GenerateTokenKeys |
LUNA_GEN_KCV | CA_ManualKCV, C_InitPIN, C_InitToken, CA_InitAudit |
LUNA_SET_LKCV | CA_SetLKCV |
LUNA_M_OF_N_GENERATE | CA_GenerateMofN_Common, CA_GenerateMofN |
LUNA_M_OF_N_ACTIVATE | CA_ActivateMofN |
LUNA_M_OF_N_MODIFY | CA_ActivateMofN |
LUNA_EXTRACT | CA_Extract |
LUNA_INSERT | CA_Insert |
LUNA_LKM_COMMAND | CA_LKMInitiatorChallenge, CA_LKMReceiverResponse, CA_LKMInitiatorComplete, CA_LKMReceiverComplete. |
LUNA_MODIFY_USAGE_COUNT | CA_ModifyUsageCount |
Key Usage and Key First Usage
HSM Event | Description |
---|---|
LUNA_ENCRYPT_INIT | C_EncryptInit |
LUNA_ENCRYPT | C_Encrypt |
LUNA_ENCRYPT_END | C_EncryptFinal |
LUNA_DECRYPT_INIT | C_DecryptInit |
LUNA_DECRYPT | C_Decrypt |
LUNA_DECRYPT_END | C_DecryptFinal |
LUNA_DIGEST_INIT | C_DigestInit |
LUNA_DIGEST | C_Digest |
LUNA_DIGEST_KEY | C_DigestKey |
LUNA_DIGEST_END | C_DigestFinal |
LUNA_SIGN_INIT | C_SignInit |
LUNA_SIGN | C_Sign |
LUNA_SIGN_END | C_SignFinal |
LUNA_VERIFY_INIT | C_VerifyInit |
LUNA_VERIFY | C_Verify |
LUNA_VERIFY_END | C_VerifyFinal |
LUNA_SIGN_SINGLEPART | C_Sign |
LUNA_VERIFY_SINGLEPART | C_Verify |
LUNA_WRAP_CSP | CA_CloneMofN_Common |
LUNA_M_OF_N_DUPLICATE | CA_DuplicateMofN |
LUNA_ENCRYPT_SINGLEPART | C_Encrypt |
LUNA_DECRYPT_SINGLEPART | C_Decrypt |
Per-Key Authorization
HSM Event | Description |
---|---|
LUNA_AUTHORIZE_KEY | CA_AuthorizeKey |
LUNA_SET_AUTHORIZATION_DATA | CA_SetAuthorizationData |
LUNA_RESET_AUTHORIZATION_DATA | CA_ResetAuthorizationData |
LUNA_ASSIGN_KEY | CA_AssignKey |
LUNA_INCREMENT_FAILED_AUTH_COUNT | CA_IncrementFailedAuthCount |
Audit Log Management
HSM Event | Description |
---|---|
LUNA_LOG_SET_TIME | CA_TimeSync |
LUNA_LOG_GET_TIME | CA_GetTime |
LUNA_LOG_SET_CONFIG |
CA_LogSetConfig This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
LUNA_LOG_GET_CONFIG |
CA_LogGetConfig This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
LUNA_LOG_VERIFY | CA_LogVerify |
LUNA_CREATE_AUDIT_CONTAINER ** |
CA_ InitAudit The event is logged unconditionally. |
LUNA_LOG_IMPORT_SECRET | CA_LogImportSecret |
LUNA_LOG_EXPORT_SECRET | CA_LogExportSecret |