To further improve customer experience, data review and enable compliance, the DPoD team is excited to announce our new API to help users quickly and easily retrieve audit logs from Luna Cloud HSM. Users call an API endpoint with a log query and receive a signed URL where they can download a file containing the requested logs. The signed URL is valid for 24 hours. The audit log file is a .ZIP that contains a JSON list of audit logs. Audit logs are accessible for one year.
What do the Luna Cloud HSM Audit logs provide?
Audit logs help validate the assets protected within the HSM are used appropriately. An audit trail can help identify issues, as well as software/logic flaws, intrusion attempts, performance problems, problem analysis, etc. Users can detect when their service is being accessed and from which client, how they authenticated, and route information including IP. Within the audit record, it is possible to see if critical functions are performed, where they are performed and if the function completed successfully, or resulted in an error. The audit log also includes the HSM role being used to call those functions (Security Officer, Crypto Officer or Crypto User.). If the operation involves the access of keys, a strong identifier, the Object Unique Identifier (OUID), identifies them.
Audit logs allow users the benefit of full oversight of the operations happening on their service. In particular the ability to track the use of a key.
Retrieval of audit logs uses an API.
Queries are filtered using the following attributes;
- Time (time period to query)
- Source (Luna Cloud HSM Service partition)
- ResourceID (Service identifier
- ActorID (identifies the client used)
- TenantID (customer identifier)
- Action (A short code describing the action taken on the service)
- Status (the outcome of the action taken on the service.)
An example Log entry looks like this;
{“time”:”2022-03-10 15:29:01 UTC”,
“source”:”thales/cloudhsm/1269045733704″,
“resourceID”:”ff87a16d-5b1b-4dc7-bda7-1c503997c54b”,
“actorID”:”8ea31349-d987-4791-8dd7-3863cad26567″,
“tenantID”:”bb81cf52-457d-4679-88a4-47cd44b88ad1″,
“action”:”LUNA_LOGIN”,
“status”:”LUNA_RET_OK”,
“meta”:”
{
“clientip”:”34.232.134.91″,
“hsmid”:”545048″,
“partid”:”1269045733704″,
“role”:”CO
“}
“}
time timestamp that the operate took place
source The source of the audit log is the Luna Cloud HSM Service partition. Luna Cloud HSM Service audit logs return the source value thales/cloudhsm/<partitionID>
resourceID The resourceID is the serviceID of the Luna Cloud HSM Service.
actorID The actorID is the clientID of the client who took the action on the Luna Cloud HSM Service partition.
tenantID unique customer ID
action A short code describing the action taken on the service. The following is a complete list of actions which are recorded by the audit log system
status The outcome of the action taken on the service.
clientip – the egress IP address of the client who initiated the action.
hsmid – the serial number of the HSM where the action took place.
ouid – the object identifier of the target of the action. This value may be null.
partid – the serial number of the partition where the action took place.
role – the lunacm user short code (PO, CO, CU) of the role who initiated the action. If there is no authentication associated with the action then the role value will be public.
list of ACTIONS
Action Description
LUNA_CANCEL_CRYPTO_OPERATION Cancels the crypto operation.
LUNA_CLONE_AS_SOURCE Clones an object from the source token.
LUNA_CLONE_AS_TARGET Clones an object to the target token.
LUNA_CLONE_AS_TARGET_INIT Initializes cloning an object to the target token.
LUNA_COPY_OBJECT Creates a copy of an object.
LUNA_CREATE_OBJECT Creates an object.
LUNA_DECRYPT Decrypts encrypted data.
LUNA_DECRYPT_END Finishes a decryption operation.
LUNA_DECRYPT_INIT Initializes a decryption operation.
LUNA_DECRYPT_SINGLEPART Decrypts encrypted single-part data.
LUNA_DERIVE_KEY Derives a key from a base key.
LUNA_DERIVE_KEY_AND_WRAP Derives a key from a base key and wraps (encrypt) the key.
LUNA_DESTROY_OBJECT Destroys an object.
LUNA_DIGEST Digests single-part data.
LUNA_DIGEST_END Finishes a multiple-part digesting operation.
LUNA_DIGEST_INIT Initializes a message-digesting operation.
LUNA_DIGEST_KEY Digests a key.
LUNA_DIGEST_KEY_VALUE Digests a key value.
LUNA_ENCRYPT Encrypts data.
LUNA_ENCRYPT_END Finishes a multiple-part encryption operation.
LUNA_ENCRYPT_INIT Initializes a multiple-part encryption operation.
LUNA_ENCRYPT_SINGLEPART Encrypts single-part data.
LUNA_GENERATE_DOMAIN_PARAM Generated domain parameters.
LUNA_GENERATE_KEY Generates a secret key.
LUNA_GENERATE_KEY_PAIR Generates a public-key/private-key pair.
LUNA_GEN_KCV Generate a key check sum value.
LUNA_INIT_PIN Initializes the users PIN.
LUNA_LOGIN Logs in to a token.
LUNA_MODIFY_OBJECT Updates an object.
LUNA_PARTITION_INIT Initializes the HSM partition.
LUNA_PARTITION_ZEROIZE Zeroizes the HSM partition.
LUNA_REPLICATE_AS_SOURCE Replicate an object from the source token.
LUNA_REPLICATE_AS_TARGET Replicate an object to the target token.
LUNA_REPLICATE_AS_TARGET_INIT Initializes replicating an object to the target token.
LUNA_SET_PIN Modifies the PIN of the current user.
LUNA_SIGN Signs data.
LUNA_SIGN_END Finishes a multi-part sign operation.
LUNA_SIGN_INIT Initializes a multi-part sign operation.
LUNA_SIGN_SINGLEPART Signs single-part data.
LUNA_UNWRAP_KEY Unwraps a key.
LUNA_VERIFY Verifies a signature on data.
LUNA_VERIFY_END Finishes a multi-part verification operation.
LUNA_VERIFY_INIT Initializes a multi-part verification operation.
LUNA_VERIFY_SINGLEPART Verifies a signature on single-part data.
LUNA_WRAP_KEY Wraps a key.