...
These below refer to the ONAP (Application and Infrastructure Columns)
...
Logging Practice
...
Requirements (Proposed)
| ID | Description | Reference |
|---|---|---|
CON-LOG-REQ-19 | The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time. | R-629534 |
...
Security Event Generation
...
Requirements (Proposed)
| ID | Description | Reference |
|---|---|---|
CON-LOG-REQ-1 | The container and container application MUST log successful and unsuccessful authentication attempts, e.g., authentication associated with a transaction, authentication to create a session, authentication to assume elevated privilege. | R-54520 |
CON-LOG-REQ-2 | The container and container application MUST log logoffs. | R-55478 |
CON-LOG-REQ-3 | The container and container application MUST log starting and stopping of security logging. | R-13344 |
CON-LOG-REQ-4 | The container and container application MUST log success and unsuccessful creation, removal, or change to the inherent privilege level of users. | R-07617 |
CON-LOG-REQ-5 | The container and container application MUST log connections to the network listeners of the container. | R-94525 |
| CON-LOG-REQ-6 | The container and container application MUST log the addition and deletion of files in the container. | |
| CON-LOG-REQ-MP05 | The container MUST log lifecycle events | |
| CON-LOG-REQ-MP07 | Container administration services actvities and executed commands MUST be logged. (e.g., Build requests, Runtime commands) (Availbel in docker Daemon Logs) | T1609, T1612 |
| CON-LOG-REQ-MP08 | The container MUST log API calls (such as: syscalls, those that deploy containers, Discovery API). (Availabe in docker daemon log). | T1610, T1204, T1611, T1068, T1552, T1613, T1525 |
| CON-LOG-REQ-MP09 | The container MUST log creation of scheduled jobs in containers. ( Available at the K8S level) | T1053 |
| CON-LOG-REQ-MP10 | Image registry events MUST be logged (e.g., additions) | T1204 |
| CON-LOG-REQ-MP06 | Log anonymous requests |
...
Metadata for Security Events (Proposed)
| ID | Description | Reference |
|---|---|---|
| CON-LOG-REQ-7 | The container and container application MUST log the field “date/time” in the security audit logs. | R-97445 |
CON-LOG-REQ-8 | The container and container application MUST log the field “protocol” in the security audit logs. | R-25547 |
CON-LOG-REQ-9 | The container and container application MUST log the field “service or program used for access” in the security audit logs. | R-06413 |
CON-LOG-REQ-10 | The container and container application MUST log the field “success/failure” in the security audit logs. | R-15325 |
| CON-LOG-REQ-11 | The container and container application MUST log the field “Login ID” in the security audit logs. | R-89474 |
| CON-LOG-REQ-MP01 | LFLD: Container ID | |
| CON-LOG-REQ-MP02 | LFLD: Container Name | |
| CON-LOG-REQ-MP03 | LFLD: Container Image Name (Hash) | |
| CON-LOG-REQ-MP04 | LFLD: Logging Level | |
| CON-LOG-REQ-MP11 | The container MUST log the image ID and layer hash | T1036, T1525 |
| CON-LOG-REQ-MP12 | Log User Group ID | |
| CON-LOG-REQ-MP13 | To support flow tracking across ONAP components a container MUST log RequestID, InvocationID and InstanceID. These items are defined as MDC # 4,5, and 6 respectively in the Logging Project Spec v1.3 MDC table1. | |
...