...
Security Event Generation Requirements (Proposed)
REQUIRED, RECOMMENDED and OPTIONAL
| ID | Type | Description | Reference |
|---|---|---|---|
CON-LOG-REQ-1 | REQUIRED | The container and container application MUST log successful and unsuccessful authentication attempts, e.g., authentication associated with a transaction, authentication to create a session, authentication to assume elevated privilege. | R-54520 |
CON-LOG-REQ-2 | The container and container application MUST log logoffs. | R-55478 | |
CON-LOG-REQ-3 | The container and container application MUST log starting and stopping of security logging. | R-13344 | |
CON-LOG-REQ-4 | The container and container application MUST log success and unsuccessful creation, removal, or change to the inherent privilege level of users. | R-07617 | |
CON-LOG-REQ-5 | The container and container application MUST log connections to the network listeners of the container. | R-94525 | |
| CON-LOG-REQ-6 | The container and container application MUST log the addition and deletion of files in the container. | ||
| CON-LOG-REQ-MP05 | The container MUST log lifecycle events | ||
| CON-LOG-REQ-MP07 | Container administration services actvities and executed commands MUST be logged. (e.g., Build requests, Runtime commands) (Availbel in docker Daemon Logs) | T1609, T1612 | |
| CON-LOG-REQ-MP08 | The container MUST log API calls (such as: syscalls, those that deploy containers, Discovery API). (Availabe in docker daemon log). | T1610, T1204, T1611, T1068, T1552, T1613, T1525 | |
| CON-LOG-REQ-MP09 | The container MUST log creation of scheduled jobs in containers. ( Available at the K8S level) | T1053 | |
| CON-LOG-REQ-MP10 | Image registry events MUST be logged (e.g., additions) | T1204 | |
| CON-LOG-REQ-MP06 | Log anonymous requests | ||
...
Metadata for Security Events (Proposed)
REQUIRED, RECOMMENDED and OPTIONAL
| ID | Type | Description | Reference |
|---|---|---|---|
| CON-LOG-REQ-7 | The container and container application MUST log the field “date/time” in the security audit logs. | R-97445 | |
CON-LOG-REQ-8 | The container and container application MUST log the field “protocol” in the security audit logs. | R-25547 | |
CON-LOG-REQ-9 | The container and container application MUST log the field “service or program used for access” in the security audit logs. | R-06413 | |
CON-LOG-REQ-10 | The container and container application MUST log the field “success/failure” in the security audit logs. | R-15325 | |
| CON-LOG-REQ-11 | The container and container application MUST log the field “Login ID” in the security audit logs. | R-89474 | |
| CON-LOG-REQ-MP01 | LFLD: Container ID | ||
| CON-LOG-REQ-MP02 | LFLD: Container Name | ||
| CON-LOG-REQ-MP03 | LFLD: Container Image Name (Hash) | ||
| CON-LOG-REQ-MP04 | LFLD: Logging Level | ||
| CON-LOG-REQ-MP11 | The container MUST log the image ID and layer hash | T1036, T1525 | |
| CON-LOG-REQ-MP12 | Log User Group ID | ||
| CON-LOG-REQ-MP13 | To support flow tracking across ONAP components a container MUST log RequestID, InvocationID and InstanceID. These items are defined as MDC # 4,5, and 6 respectively in the Logging Project Spec v1.3 MDC table1. | ||
...