...
- Within ONAP both containers and infrastructure generate raw data that have security concerns.
- Containers (xNFs)
- Infrastructure (Docker and K8S)
- There are a set of logs that both Docker and K8S generate that relate to security monitoring.
- That is documented here: https://wiki.onap.org/download/attachments/103419713/Logging%20-%20ATTACK%20to%20SECCOM_v3.pptx?version=1&modificationDate=1622560207000&api=v2
Proposed Security Event Generation Requirements
[CON-LOG-REQ-1] The container and container application MUST log successful and unsuccessful authentication attempts, e.g., authentication associated with a transaction, authentication to create a session, authentication to assume elevated privilege. [Reference: R-54520]
[CON-LOG-REQ-2] The container and container application MUST log logoffs. [Reference: R-55478]
[CON-LOG-REQ-3] The container and container application MUST log starting and stopping of security logging. [Reference: R-13344]
[CON-LOG-REQ-4] The container and container application MUST log success and unsuccessful creation, removal, or change to the inherent privilege level of users. [Reference: R-07617]
[CON-LOG-REQ-5] The container and container application MUST log connections to the network listeners of the container. [Reference: R-94525]
[CON-LOG-REQ-6] The container and container application MUST log the addition and deletion of files in the container.
Proposed Required Metadata for Security Events
[CON-LOG-REQ-7] The container and container application MUST log the field “date/time” in the security audit logs. [Reference: R-97445]
[CON-LOG-REQ-8] The container and container application MUST log the field “protocol” in the security audit logs. [Reference: R-25547]
[CON-LOG-REQ-9] The container and container application MUST log the field “service or program used for access” in the security audit logs. [Reference: R-06413]
[CON-LOG-REQ-10] The container and container application MUST log the field “success/failure” in the security audit logs. [Reference: R-15325]
[CON-LOG-REQ-11] The container and container application MUST log the field “Login ID” in the security audit logs. [Reference: R-89474]
[CON-LOG-REQ-19] The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time. [Reference: R-629534]
Tagging
Muddasar put your thoughts here
...
- There currently is a SECCOM proposal that specifies what type of data should be logged where it should be logged to.
- How these logs would be collected and aggregated is specified by the ONAP NextGen Presentation by Byung.
- ONAP Next Generation Security & Logging Architecture#ONAPLogging
- old presentation slide deck (see the above link for the latest on) https://wiki.onap.org/download/attachments/103416997/ONAP-Next-Generation-Security-Logging-2021-5-25-v1.pptx?version=1&modificationDate=1621953519000&api=v2
Proposed Collection of Container Logs
[CON-LOG-REQ-13] The container MUST have security logging for the container and container application active from initialization. [Reference: R-84160]
[CON-LOG-REQ-20] The container and container application MUST use the STDOUT for security logs collection [Reference: REQ-374]
Data Stewardship
What is the data life cycle within ONAP?
...