Audit Log Categories and HSM Events
This section provides a summary of the audit log categories and their associated HSM events.
Partition Role IDs
If you are using a Luna PCIe HSM 7 with Luna HSM Firmware 7.7.0 or newer and Luna HSM Client 10.3.0 or newer, the HSM event log reports events with the following IDs assigned to each partition role:
Administrative Partition Role IDs
| Partition Role | Role ID |
|---|---|
| Administrator |
0 |
| HSM Security Officer |
1 |
| Auditor | 8 |
Application Partition Role IDs
| Partition Role | Role ID |
|---|---|
| Partition Security Officer |
1 |
| Crypto Officer |
0 |
| Limited Crypto Officer | 9 |
| Crypto User | 5 |
HSM Access
| HSM Event | Description |
|---|---|
| LUNA_LOGIN |
C_Login. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
| LUNA_LOGOUT |
C_Logout. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
| LUNA_LOGOUT_OTHER |
C_LogoutOther. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
| LUNA_MODIFY_OBJECT | C_SetAttributeValue |
| LUNA_OPEN_SESSION |
C_OpenSession. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
| LUNA_CLOSE_ALL_SESSIONS | C_CloseAllSessions |
| LUNA_CLOSE_SESSION |
C_CloseSession This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
| LUNA_OPEN_ACCESS | CA_OpenApplicationID |
| LUNA_CLEAN_ACCESS | CA_Restart, CA_RestartForContainer |
| LUNA_CLOSE_ACCESS | CA_CloseApplicationID |
| LUNA_LOAD_CUSTOM_MODULE | CA_LoadModule |
| LUNA_LOAD_ENCRYPTED_CUSTOM_MODULE | CA_LoadEncryptedModule |
| LUNA_UNLOAD_CUSTOM_MODULE | CA_UnloadModule |
| LUNA_EXECUTE_CUSTOM_COMMAND | CA_PerformModuleCall |
| LUNA_HA_LOGIN | CA_HAGetLoginChallenge, CA_HAAnswerLoginChallenge, CA_HALogin, CA_HAAnswerMofNChallenge, HAActivateMofN |
Log External
| HSM Event | Description |
|---|---|
| LUNA_LOG_EXTERNAL | CA_LogExternal |
HSM Management
| HSM Event | Description |
|---|---|
| LUNA_ZEROIZE |
CA_FactoryReset This event is logged unconditionally. |
| LUNA_INIT_TOKEN |
C_InitToken This event is logged unconditionally. |
| LUNA_SET_PIN | C_SetPIN |
| LUNA_INIT_PIN | C_InitPIN |
| LUNA_CREATE_CONTAINER | CA_CreateContainer |
| LUNA_DELETE_CONTAINER | CA_DeleteContainer, CA_DeleteContainerWithHandle |
| LUNA_SEED_RANDOM | C_SeedRandom |
| LUNA_EXTRACT_CONTEXTS | C_GetOperationState |
| LUNA_INSERT_CONTEXTS | C_SetOperationState |
| LUNA_SELF_TEST | C_PerformSelfTest |
| LUNA_LOAD_CERT | CA_SetTokenCertificateSignature |
| LUNA_HA_INIT | CA_HAInit |
| LUNA_SET_HSM_POLICY | CA_SetHSMPolicy |
| LUNA_SET_DESTRUCTIVE_HSM_POLICY | CA_SetDestructiveHSMPolicy |
| LUNA_SET_CONTAINER_POLICY | CA_SetContainerPolicy |
| LUNA_SET_CAPABILITY | Internal, for capability update |
| LUNA_CREATE_LOGIN_CHALLENGE | CA_CreateLoginChallenge |
| LUNA_REQUEST_CHALLENGE | CA_SIMInsert, CA_SIMMultiSign |
| LUNA_PED_INIT_RPV | CA_InitializeRemotePEDVector |
| LUNA_PED_DELETE_RPV | CA_DeleteRemotePEDVector |
| LUNA_MTK_LOCK | Internal, for manufacturing |
| LUNA_MTK_UNLOCK_CHALLENGE | Internal, for manufacturing |
| LUNA_MTK_UNLOCK_RESPONSE | Internal, for manufacturing |
| LUNA_MTK_RESTORE | CA_MTKRestore |
| LUNA_MTK_RESPLIT | CA_MTKResplit |
| LUNA_MTK_ZEROIZE | CA_MTKZeroize |
| LUNA_FW_UPGRADE_INIT | CA_FirmwareUpdate |
| LUNA_FW_UPGRADE_UPDATE | CA_FirmwareUpdate |
| LUNA_FW_UPGRADE_FINAL | CA_FirmwareUpdate |
| LUNA_FW_ROLLBACK | CA_FirmwareRollback |
| LUNA_MTK_SET_STORAGE | CA_MTKSetStorage |
| LUNA_SET_CONTAINER_SIZE | CA_SetContainerSize |
Key Management
| HSM Event | Description |
|---|---|
| LUNA_CREATE_OBJECT | C_CreateObject |
| LUNA_COPY_OBJECT | C_CopyObject |
| LUNA_DESTROY_OBJECT | C_DestroyObject |
| LUNA_DESTROY_MULTIPLE_OBJECTS | CA_DestroyMultipleObjects |
| LUNA_GENERATE_KEY | C_GenerateKey |
| LUNA_GENERATE_KEY_PAIR | C_GenerateKeyPair |
| LUNA_WRAP_KEY | C_WrapKey |
| LUNA_UNWRAP_KEY | C_UnwrapKey |
| LUNA_DERIVE_KEY | C_DeriveKey |
| LUNA_GET_RANDOM | C_GenerateRandom |
| LUNA_CLONE_AS_SOURCE, LUNA_REPLICATE_AS_SOURCE | CA_CloneAsSource |
| LUNA_CLONE_AS_TARGET_INIT, LUNA_REPLICATE_AS_TARGET_INIT | CA_CloneAsTargetInit |
| LUNA_CLONE_AS_TARGET, LUNA_REPLICATE_AS_TARGET | CA_CloneAsTarget |
| LUNA_GEN_TKN_KEYS | CA_GenerateTokenKeys |
| LUNA_GEN_KCV | CA_ManualKCV, C_InitPIN, C_InitToken, CA_InitAudit |
| LUNA_SET_LKCV | CA_SetLKCV |
| LUNA_M_OF_N_GENERATE | CA_GenerateMofN_Common, CA_GenerateMofN |
| LUNA_M_OF_N_ACTIVATE | CA_ActivateMofN |
| LUNA_M_OF_N_MODIFY | CA_ActivateMofN |
| LUNA_EXTRACT | CA_Extract |
| LUNA_INSERT | CA_Insert |
| LUNA_LKM_COMMAND | CA_LKMInitiatorChallenge, CA_LKMReceiverResponse, CA_LKMInitiatorComplete, CA_LKMReceiverComplete. |
| LUNA_MODIFY_USAGE_COUNT | CA_ModifyUsageCount |
Key Usage and Key First Usage
| HSM Event | Description |
|---|---|
| LUNA_ENCRYPT_INIT | C_EncryptInit |
| LUNA_ENCRYPT | C_Encrypt |
| LUNA_ENCRYPT_END | C_EncryptFinal |
| LUNA_DECRYPT_INIT | C_DecryptInit |
| LUNA_DECRYPT | C_Decrypt |
| LUNA_DECRYPT_END | C_DecryptFinal |
| LUNA_DIGEST_INIT | C_DigestInit |
| LUNA_DIGEST | C_Digest |
| LUNA_DIGEST_KEY | C_DigestKey |
| LUNA_DIGEST_END | C_DigestFinal |
| LUNA_SIGN_INIT | C_SignInit |
| LUNA_SIGN | C_Sign |
| LUNA_SIGN_END | C_SignFinal |
| LUNA_VERIFY_INIT | C_VerifyInit |
| LUNA_VERIFY | C_Verify |
| LUNA_VERIFY_END | C_VerifyFinal |
| LUNA_SIGN_SINGLEPART | C_Sign |
| LUNA_VERIFY_SINGLEPART | C_Verify |
| LUNA_WRAP_CSP | CA_CloneMofN_Common |
| LUNA_M_OF_N_DUPLICATE | CA_DuplicateMofN |
| LUNA_ENCRYPT_SINGLEPART | C_Encrypt |
| LUNA_DECRYPT_SINGLEPART | C_Decrypt |
Per-Key Authorization
| HSM Event | Description |
|---|---|
| LUNA_AUTHORIZE_KEY | CA_AuthorizeKey |
| LUNA_SET_AUTHORIZATION_DATA | CA_SetAuthorizationData |
| LUNA_RESET_AUTHORIZATION_DATA | CA_ResetAuthorizationData |
| LUNA_ASSIGN_KEY | CA_AssignKey |
| LUNA_INCREMENT_FAILED_AUTH_COUNT | CA_IncrementFailedAuthCount |
Audit Log Management
| HSM Event | Description |
|---|---|
| LUNA_LOG_SET_TIME | CA_TimeSync |
| LUNA_LOG_GET_TIME | CA_GetTime |
| LUNA_LOG_SET_CONFIG |
CA_LogSetConfig This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
| LUNA_LOG_GET_CONFIG |
CA_LogGetConfig This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). |
| LUNA_LOG_VERIFY | CA_LogVerify |
| LUNA_CREATE_AUDIT_CONTAINER ** |
CA_ InitAudit The event is logged unconditionally. |
| LUNA_LOG_IMPORT_SECRET | CA_LogImportSecret |
| LUNA_LOG_EXPORT_SECRET | CA_LogExportSecret |
