Page History

...

Log PoC results presentation by Andrew (andrew.a.lamb@est.tec).

Fluentbit sends logs to Elasticsearch and Kibana retrieves it from there.

Last 2 slides reviewed again by Muddasar:

What PTLs consider as technical debt?

Summary	Description	Status	Solution
Synch with OOM	Security dashboard at 60%: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-06/07_07-48/ and Versions reporting at 57%: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-05/20_21-56/ latest run by Michal for the weekend	ongoing
Python upgrades	DCAE removed Filebeat containers (they were running Python 2).
ONAP Kohn recommended versions	https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions	done	About the requirement: [REQ-1072] SECURITY LOGS FIELDS – full PoC with CPS in Kohn and then GR candidate for London.
LFN Developer & Testing Forum	Event June 13th-16th Porto, Portugal Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/	started
	SECCOM topics proposal: SECCOM retrospectives: Log4j fix implementation in Istanbul Maintenance Release Jakarta security status update Kohn security goals : Global Requirements and Best Practices Security PoCs: logging req code quality service mesh SBOM enablement and maintenance, and packaging Waiver policy update Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung. On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony. Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian? Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.	started	Remaining topic proposals to be submitted. Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration. Fabian to check if could contribute on how qualify software to be deployed, what due diligence was performed. Follow-up with Kenny to be done.	SBOM	Jess to reach out LFN IT developer.	ongoing	Notary v2 vs. Cosign	cathegories to be covered: software, documentation nad SBOM. Waiting for a feedback from Alex.	SECCOM requirement to be formed starting with software.	Last TSC meeting	Positive feedback from TSC on unmaintained projects	Technical debt
5G Superblueprint involvement	Security Interest Group for security as a code. Concept mandatory to support and optional to use. Let’s start with NIST document: https://csrc.nist.gov/publications/detail/sp/1800-33/draft		Muddasar to share template and keep SECCOM posted.
Whitesource (mend.io) container scans	New ticket submitted to LFN IT: IT-24112
Technical debt	Muddasar reviewed jira tickets of DCAE and AAI.
Service Mesh	With Service Mesh AAF and MSB could be disabled.		Pawel to reach out Toine.
TSC update	Service mesh PoC – Andreas shared the status, HTTPs to be transfromed to either HTTP or gRPC within the container, proxy takes care of secure communication. Jakarta sign-off pushed to 9th of June, M2 date still to be confirmed by TSC.
Conditional check for HTTP and Service Mesh			Pawel to check with Michal.
SBOM	Jess to reach out LFN IT developer later this week. SBOM is the fundamental gear. Ranny is already in the loop. We need to advocate on SBOM	ongoing	Escalation with LFN Governing Board? Ranny to be contacted? Cost to be retrieved from Jess by Muddasar.
Logging PoC	https://gerrit.nordix.org/c/onap/oom/+/13370	started	Reviewing technical debt related Jira items in projects backlog. Muddasar to review backlogs per project. One slide to be prepared and then shared with PTLs and architecture subcommitee.
SECCOM MEETING CALL WILL BE HELD ON 7th 21st OF June'22.

Recording:

View file

name	2022-06-07_SECCOM_week.mp4
height	150

SECCOM presentation:

View file

name	2022-06-07 ONAP Security Meeting - AgendaAndMinutes.pptx
height	150

Space shortcuts

Page tree

Versions Compared

Old Version 1

New Version Current

Key