Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 17th of March 2020.
| Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| AAF status | John (new PTL) joins PTLs meetings and he is learning on how AAF works. AAF was not the best documented project. We havre to be realistic. It takes longer to get answers from the AAF team. John has a bit less time to work on AAF than Jonathan had. AAF some features could be replaced with service mesh. AAF is still targeted for user store. (where you maintain your privileges) as we have to have a policy information point. But in terms of being policy enforcement point, there are solutions like service mesh. For the moment we are not aware of somebody working on integratuion of AAF and service mesh. | |||
| New zoom for SECCOM | There is a cjhance that we might get a new zoom bridge to avoid overlapping with Architecture Subcommittee. | LFN acquired a news zoom bridge. | ||
| Common topics with Architecture Subcommittee | Implementation of service mesh as an alternative for AAF in the domain of policy enforcement point. Logging opensource alternatives. Guidance from TSC and technical subcommittees is needed + core team to drive the implementation. | Fabian and Natacha plan to investigate service mesh alternative . Dedicated meeting for brainstorming under organization on Friday 20th of March on 4 PM CET: Join Webex meeting | ||
| Guilin SECCOM priorities - review -of new proposals | Increase the number of CIS Docker Benchmark checks in the Integration healthchecks. New tests proposal with the Integration team. 3 sections interesting from CIS docker benchmark: -ensure that only trusted base images are used (section 4.2). -ensure that healthccheck instructions have been added to container images (section 4.6) -ensure that docker images in ONAP have removed setuid and setgid Requirements shall be testable and additionally it is very good to ensure that the Integration team includes those tests in ONAP CI. Logs Management Format of logs is not unified - we need to have a centralized monitoring. Stdout should be used by applications in the container first. In general logging is very poor in ONAP. We need to get buyin from Architecture and PTLs. MVP to be identified. Cloudnative initiative might be in correlation. | Amy will post info on new tests proposal on the Wiki and share the link with SECCOM. Short slot with the Integration team for their feedback to be organized by Amy. In comments for REQ-2xx link to Wiki to be provided. Next time Fabian will share docker run commands to nesure that specific capabilities are not allowed. Amy will check with AT&T projects. To check with OOM how we could use CNCF project outputs. | ||
| CII Badging - feedback from recent PTL meeting | Tony summarized rrequirements for assurance cases - security document. REQ-223 Tony requested to work on 2 items:
| Unfortunatelu Tony lost his recent update for this requirement and will update it once again. | ||
| SECCOM chair and vice chair elections | Confirm that the correct voting member for your company is on the Security Sub-committee Members list | Still waiting for Kenny's feedback | Kenny was asked again at the PTLS call to provide his feedback - he promissed to respond. | |
| OJSIs update by Krzysztof | We are progressing in a very good direction. The most important are the issue with CVE assigned - most of them are resolved - just 3 of them in progress (1 SDNC - in worst case admin port will be disabled and 2 APPC - to be followed with Taka). | OJSI Tickets Status | ||
| How do we treat projects that are out of release scope? | Fixing OJSIs tickets is it enough? For MSB case as there is no new development - but there is a maintenance. | TSC recommendation is needed. We should identify minimum basline with checklist of security items/best practices that we expect to be met by projects to assess maturity of each component.:
| ||
| Guilin SECCOM priorities - review - to be done for red items next week | P1: -Updates of the languages (java from v8 -> 11 and Python 2.7 -> to 3.x) – Interns from LFN could be gained -Updates of directly dependent software components (Here we are thinking about benefiting from LFN Interns that could support projects in their packages upgrades, in addition the new version of Nexus-IQ is able to display components with direct and indirect dependencies, we should define priorities, release manager should help in coordination between projects) -Automated security testing – containers not running as root – SDNC example -Increase the number of CIS Docker Benchmark checks in the Integration healthchecks. P2: -Secrets management -No root access to the DB from main application container Currently we have some pods (i.e. OOF) that require root access to their mariadb-galera instance for main application to work. This is obviously a security issue. Each application should have its own DB account that allows to access only its own DB. -All config files inside the main container should be ReadOnly There are some weird design like in APPC where main container modifies properties provided by the user at runtime. I believe that application configuration should be read only. P3: -Increase of code coverage (to be honest in Frankfurt release it seems that not that much happened – I am not sure if each project proposed % feasible for them and followed the actions to achieve this -CII badging P4: -High Priority SECCOM initiative: service mesh recommendation -SECCOM initiative: OJSIs to be solved -SECCOM initiative: https communication User access management ONAP MVP Flow management Logs management We shall continue efforts for projects ongoin e.g. connectivity matrix, VNF Security requirments, CMPv2 etc. | List was already presented to PTLs, no specific feedback. Next to be presented to TSC. | . Efforts on service mesh to be continued to have a real alternative to AAF which is failing as of today. We hope AAF would be better with new PTL John but service mesh alernative should be explored with: certificates, mTLS, sidecar. | |
| Different zoom bridge to avoid influence of Architecture Subcommittee starting their meeting. | LFN to be contacted. | |||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17TH OF MARCH'20 |
