...

• Generation
  • Within ONAP both containers and infrastructure generate raw data that have security concerns.
    • Containers (xNFs)
      • There currently a SECCOM proposal that specify what type of data should be logged where it should be logged to.  In this case STDOUT
        • TODO: List STDOUT REQ NUMBER HERE
      • That is documented here: https://wiki.onap.org/download/attachments/100895473/2021-02-22_LoggingRequirementEvents_v9.pptx?version=1&modificationDate=1619018452000&api=v2
    • Infrastructure (Docker and K8S)
      • There are a set of logs that both Docker and K8S generate that relate to security monitoring.
      •  That is documented here: https://wiki.onap.org/download/attachments/103419713/Logging%20-%20ATTACK%20to%20SECCOM_v3.pptx?version=1&modificationDate=1622560207000&api=v2
• Collection
  • How these logs would be collected and aggregated is specified by the ONAP NextGen Presentation by Byung.
  • ONAP Next Generation Security & Logging Architecture#ONAPLogging  
  • old presentation slide deck (see the above link for the latest on) https://wiki.onap.org/download/attachments/103416997/ONAP-Next-Generation-Security-Logging-2021-5-25-v1.pptx?version=1&modificationDate=1621953519000&api=v2
• Analysis
  • It is expected that this function out of scope for ONAP.  A CSP / MNO will make used of a SIEM.  ONAP's role is to provide a means to export security event data.  This is where analytics are stored and applied to the data the is ingested from ONAP.
  • Presentation by Fabian pertaining to Analysis: ONAP Logs Security Managment1.pptx
• Action
  • If we expect ONAP to respond to security events in a closed loop manner, then there needs to be a way for events generated by the SIEM to be ingested back into ONAP.

Comments from Chakar, paraphrased, (7/20/2021 SECCOM Meeting)

• We need to disambiguate "Logging" vs "Data Collection".
• Logging from ONAP and Logging from xNF are not the same.

Terms

This is place where we can standardize our language.

...