Key Points for Security Recommendations for Log Generation
- There are many different types of logging formats that have been proposed and informally adopted across ONAP
- 2017 OpenECOMP Logging Specifications; ONAP Logging Specifications v1,1, v1,2 and v1.3.
- Many different types of logging libraries EELF, PyLog, Log4J, logback, FLog, dropwizard-logging, log4js, logkit, clojure logging, jboss-logging, UnderscoreLog. Probably others. (See Nexus Report Here).
- It is not the place of SECCOM to define a logging format for ONAP Projects to follow.
- We should stay focused on proposing Security focused logging requirements and recommend to TSC to adopt as a Best Practice and subsequently adopting as a Global Requirement.
- When proposing requirements we should not be dictating implementation details BUT we should be cognizant of existing implementations and how our proposed requirements will impact those existing implementations.
- We should strive to reduce impact on existing implementations as much as possible.
- 10 of 16 proposed security requirements for log fields exist with existing logging specifications. This means that projects that are logging and following one of these then these requirements should not be a heavy lift. So my recommendation is that we just define the the requirement and refer back to the existing specifications for field definitions.
- The remaining proposed security requirements mostly deal with container identification. Project most likely are not logging this info. These we need to specify a format and a field description as well as the requirement. In addition, we may need to prototype something by adding something to an MDC that most loggers use.
Results from comparison of existing logging
Security Log Structure
Timestamp | Log Type | Log Level | Transaction ID | Status Code | Severity | Container Data | Protocol | Service / Program Name | Log Message | |||||
Image Tag / Name | Image Digest | ID | Name | Principal ID | Role / Attribute ID | |||||||||
...