Audit Logging API now available in Data Protection on Demand (DPoD)

To further improve customer experience, data review and enable compliance, the DPoD team is excited to announce our new API to help users quickly and easily retrieve audit logs from Luna Cloud HSM.  Users call an API endpoint with a log query and receive a signed URL where they can download a file containing the requested logs. The signed URL is valid for 24 hours. The audit log file is a .ZIP that contains a JSON list of audit logs.  Audit logs are accessible for one year.

What do the Luna Cloud HSM Audit logs provide?

Audit logs help validate the assets protected within the HSM are used appropriately.  An audit trail can help identify issues, as well as software/logic flaws, intrusion attempts, performance problems, problem analysis, etc. Users can detect when their service is being accessed and from which client, how they authenticated, and route information including IP. Within the audit record, it is possible to see if critical functions are performed, where they are performed and if the function completed successfully, or resulted in an error.  The audit log also includes the HSM role being used to call those functions (Security Officer, Crypto Officer or Crypto User.). If the operation involves the access of keys, a strong identifier, the Object Unique Identifier (OUID), identifies them.

Audit logs allow users the benefit of full oversight of the operations happening on their service. In particular the ability to track the use of a key.

Retrieval of audit logs uses an API.

Queries are filtered using the following attributes;

  • Time (time period to query)
  • Source (Luna Cloud HSM Service partition)
  • ResourceID (Service identifier
  • ActorID  (identifies the client used)
  • TenantID (customer identifier)
  • Action (A short code describing the action taken on the service)
  • Status (the outcome of the action taken on the service.)

 

An example Log entry looks like this;

 

{“time”:”2022-03-10 15:29:01 UTC”,

“source”:”thales/cloudhsm/1269045733704″,

“resourceID”:”ff87a16d-5b1b-4dc7-bda7-1c503997c54b”,

“actorID”:”8ea31349-d987-4791-8dd7-3863cad26567″,

“tenantID”:”bb81cf52-457d-4679-88a4-47cd44b88ad1″,

“action”:”LUNA_LOGIN”,

“status”:”LUNA_RET_OK”,

“meta”:”

{

“clientip”:”34.232.134.91″,

“hsmid”:”545048″,

“partid”:”1269045733704″,

“role”:”CO

“}

“}

 

time timestamp that the operate took place

source The source of the audit log is the Luna Cloud HSM Service partition. Luna Cloud HSM Service audit logs return the source value thales/cloudhsm/<partitionID>

resourceID The resourceID is the serviceID of the Luna Cloud HSM Service.

actorID The actorID is the clientID of the client who took the action on the Luna Cloud HSM Service partition.

tenantID unique customer ID

action A short code describing the action taken on the service. The following is a complete list of actions which are recorded by the audit log system

status The outcome of the action taken on the service.

clientip – the egress IP address of the client who initiated the action.

hsmid – the serial number of the HSM where the action took place.

ouid – the object identifier of the target of the action. This value may be null.

partid – the serial number of the partition where the action took place.

role – the lunacm user short code (PO, CO, CU) of the role who initiated the action. If there is no authentication associated with the action then the role value will be public.

 

list of ACTIONS

 

Action   Description

LUNA_CANCEL_CRYPTO_OPERATION      Cancels the crypto operation.

LUNA_CLONE_AS_SOURCE          Clones an object from the source token.

LUNA_CLONE_AS_TARGET           Clones an object to the target token.

LUNA_CLONE_AS_TARGET_INIT Initializes cloning an object to the target token.

LUNA_COPY_OBJECT      Creates a copy of an object.

LUNA_CREATE_OBJECT  Creates an object.

LUNA_DECRYPT Decrypts encrypted data.

LUNA_DECRYPT_END     Finishes a decryption operation.

LUNA_DECRYPT_INIT      Initializes a decryption operation.

LUNA_DECRYPT_SINGLEPART      Decrypts encrypted single-part data.

LUNA_DERIVE_KEY          Derives a key from a base key.

LUNA_DERIVE_KEY_AND_WRAP Derives a key from a base key and wraps (encrypt) the key.

LUNA_DESTROY_OBJECT              Destroys an object.

LUNA_DIGEST    Digests single-part data.

LUNA_DIGEST_END         Finishes a multiple-part digesting operation.

LUNA_DIGEST_INIT         Initializes a message-digesting operation.

LUNA_DIGEST_KEY          Digests a key.

LUNA_DIGEST_KEY_VALUE           Digests a key value.

LUNA_ENCRYPT Encrypts data.

LUNA_ENCRYPT_END     Finishes a multiple-part encryption operation.

LUNA_ENCRYPT_INIT     Initializes a multiple-part encryption operation.

LUNA_ENCRYPT_SINGLEPART     Encrypts single-part data.

LUNA_GENERATE_DOMAIN_PARAM        Generated domain parameters.

LUNA_GENERATE_KEY    Generates a secret key.

LUNA_GENERATE_KEY_PAIR        Generates a public-key/private-key pair.

LUNA_GEN_KCV               Generate a key check sum value.

LUNA_INIT_PIN Initializes the users PIN.

LUNA_LOGIN     Logs in to a token.

LUNA_MODIFY_OBJECT Updates an object.

LUNA_PARTITION_INIT  Initializes the HSM partition.

LUNA_PARTITION_ZEROIZE          Zeroizes the HSM partition.

LUNA_REPLICATE_AS_SOURCE   Replicate an object from the source token.

LUNA_REPLICATE_AS_TARGET    Replicate an object to the target token.

LUNA_REPLICATE_AS_TARGET_INIT         Initializes replicating an object to the target token.

LUNA_SET_PIN  Modifies the PIN of the current user.

LUNA_SIGN        Signs data.

LUNA_SIGN_END             Finishes a multi-part sign operation.

LUNA_SIGN_INIT             Initializes a multi-part sign operation.

LUNA_SIGN_SINGLEPART             Signs single-part data.

LUNA_UNWRAP_KEY      Unwraps a key.

LUNA_VERIFY     Verifies a signature on data.

LUNA_VERIFY_END         Finishes a multi-part verification operation.

LUNA_VERIFY_INIT          Initializes a multi-part verification operation.

LUNA_VERIFY_SINGLEPART          Verifies a signature on single-part data.

LUNA_WRAP_KEY            Wraps a key.