Versions Compared

Old Version 2

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of November 2020.

Jira No
SummaryDescriptionStatusSolution
Secrets managementongoing

Script must be written to collect requested information on secrets used.

Looking at CII Badging answers in this area.

ONAP security requirements was also covering this area (master keys).

Krzysztof to be contacted as Samsung team worked on this topic in the past.

Amy to check Sonatype outputs in this area.

Flow matrix

Discussion point: Natacha initiated Wiki page: 

Flow matrix guidelines 

ongoingGuilin version highlights 
  1. Packages upgrades progress 
  2. Java (v8 → 11) and Python (v2.7 → v3.6) migrations
  3. Progress in packages not running as root - decrease
  4. Migrations to https as dafault best practice
ongoingIdeas to be further shared by SECCOM team.SECCOM requirement for ONAP maintenance release"Any critical, severe or high vulnerability found in the code written by the project team MUST be fixed within 60 days or prior to the inclusion of the project in a new release, whichever occurs first"doneNo specific comments received from SECCOM.Harbor integration follow-upErrors with demo server experienced by Jess. ongoingTo be further checked on Harbor with exchanges between Fabian and Samuli.Whitesource configuration to Do we recomment to run Whitesource next to Nexus-IQ? We have to choose one. We might want to evaluate both for a Honolulu time frame to recommend the final one. One of the criterias could be possibility to export CVEs into the excel file.ongoingWe recommend trial period to run both tools to compare and recommend the ultimate one.Java and Python latest scansThere is abuild time test that checks the images to see if they have Python 2 (interpreter) 115 vs. 61 (Pythons 3) or Java 8 (runtime) (63 vs. 55 in Java 11) included in the image. We still have lots of components that have those in their image. 

Amy had exchanges with Pawel W. 

Scripts updates are needed.

Base images would not use

Wiki to be used for results posting - David to be contacted by Amy.

E-mail to be sent to onap-discuss on that by Amy.  

Honolulu non functional requirements 

SECCOM requirement provided after the deadline (16th of October):  

  • SIEM integration (REQ-464):
    • integration like for the other applications with SIEM, have the same protocol used
    • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
    • alarms when security issue
done

Prioritization will be done by TSC.

With Fabian we made a SIEM requirement.  


SECCOM requirements for Honolulu

Commitments are  expected from the companies to provide resources to support the requirement, otherwise all of the requirements are no go for the moment. Discussion with Andreas and commitment on Michal’s suport for Python upgrades.

For CII Badging work with the integration team to have scripts that would validate.

ongoing

Amy waiting for a feedback from Catherine on the actions on our side to perform packages upgrades.



Harbor update
  1. Harbor is a reference solution of a container registry for ONAP SW: Harbor is verified along with ONAP SW test cases, and ONAP also provides a reference configuration of Harbor.
    But Harbor itself is not part of ONAP release / deliverables.
  2. In addition to number 1 items: Harbor is part of ONAP release, it is packaged as one of the ONAP deliverables along with a reference configuration.

2 ways of Harbor onboarding: run and development. More information about the job and key requirement. In dev phase Nexu-IQ will be kept.

Signing of code releases by LFN. Fabian considers Notary for that. 

ongoing

Secrets management update

Different types of secrets exist in ONAP:

  1. Passwords to databases - they can not be replaced with teh service mesh
  2. Certificates - used to be hardcoded
  3. Passwords used for communication between ONAP services
  4. Passwords related to user management
  5. Passwords related to external systems (like for OpenStack)

For every cathegory above different solution should apply:

Ad 1: common secrets templates, 3-5 components still needs tobe updated like etcd, Cassandra.

Ad 2: Cert initializer for https as a starting point, new backend considered apart from Certman (from AAF) like Certificate Manager from upstream.

Fabian manages certificates with reverse proxy, as Bell Canada does.

ONAP components are not yet ready for Ingress.

Ad 3: service mesh solution with proper access rights or any other security framework.

Ad 4: authentication in ingress, passwords externalized to keycloak.

Ad 5: for now should be placed in secrets, in long future will needa secret store. Fabian proposed to keep secretes in Vault but outside of Kubernetes but then how to access it? secret zero problem exists.




Flow matrix

Fabian had a meeting with Sebatien..

ongoing

Guilin version highlights 
  1. Packages upgrades progress 
  2. Java (v8 → 11) and Python (v2.7 → v3.6) migrations
  3. Progress in packages not running as root - decrease
  4. Migrations to https as dafault best practice
ongoingInformation was shared with David and Catherine.

CII Badging requirementsDescription part was updated by Tony.done
OOM testsWeak cyphers could be tested.To be follow-up with OOM team - Amy and Tony to discuss together.


CII Dashboard

3 projects that are silver now:, and even one of those projects is 65% of gold (VVP) and 2 other are at 57 % of gold (Policy) and AAF, CLAMP is 96% silver and over 40 % gold. 

ongoing

Progress

to be

was shared with the next PTLs call.

ongoing


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17th OF NOVEMBER'20. 





Recording:

View file
name2020-0311-10_SECCOM_week_Trim.mp4
height150


SECCOM presentation:

View file
name2020-11-10 ONAP Security Meeting - AgendaAndMinutes.pptx
height150