This is a working document.
The below matrix is a representation of the log management categories (lifecycle) in relation to the two categories of run-time logs (logs of ONAP events, logs of events from services orchestrated by ONAP).
Team Members
- Amy Zwarico
- Robert Heinemann
- Muddasar Ahmed
- rouzaut
- Byung-Woo Jun
- Brian Smith (Unlicensed)
- s.silvius
- PUT YOUR NAME HERE
...
- Review Requirements list Amy put together
- Muddasar to provide links to NIST security logging standards:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf
- Fabian: Initial investigation of ONAP responding to security events.
- Bob to provide Orchestration logging events
- Log Template as suggested by Chakir on Tuesday call ( Apache 2 log template as an example. Can we review work from Logging enhancement project?
...
| ID | Type | Field Name | Description | Reference | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
CON-SEC-LOG-01
| REQUIRED | Date and Time | The container and container application MUST log the field “date/time” in the security audit logs. The value should be represented in UTC and formatted per ISO 8601, such as “2015-06-03T13:21:58+00:00”. The time should be shown with the maximum resolution available to the logging component (e.g., milliseconds, microseconds) by including the appropriate number of decimal digits. For example, when millisecond precision is available, the date-time value would be presented as, as “2015-06-03T13:21:58.340+00:00”. | |||||||||
CON-LOG-REQ-8 | REQUIRED | Protocol | The container and container application MUST log the field “protocol” in the security audit logs. This refers to the communication mechanism for a request. The value of this field should be representative of the OSI application layer protocol. This is represented as a decimal formatted TCP/IP port number. | |||||||||
CON-LOG-REQ-9 | REQUIRED | Service / Program Name | The container and container application MUST log the field “service or program used for access” in the security audit logs. This intention is to capture the service name endpoint or an externally advertised API invoked, e.g., where are you connecting to. This is represented as a URI or URL. | (4) | ||||||||
CON-LOG-REQ-10 | REQUIRED | Status Code | The container and container application MUST log a "status code" in the security audit logs. This field indicates the high level status for transactional or sub operational events. It must be one of the following values:
| (4) | ||||||||
| CON-LOG-REQ-11 | REQUIRED | Principal ID | The container and container application MUST log the Principal identity of a requestor in the security audit logs. This field should contain the identification name of the client application (user agent, client id, user, user id, login ID, non-person entity (NPE), Token, etc.) of the entity accessing or invoking the service or API (Service / Program Name). This field should contain the identification of the entity (user agent, client id, user, user id, login ID, non-person entity (NPE), Token, etc.) that made the request of the service or API indicated in the Service/Program Name field. For a serving API that is authenticating the request, this should be the authenticated username or equivalent. There are not a concrete set of values for this field. The developer should keep the following set of guidelines when determining what value to use or set for this field.
REF: See PartnerName in v1.3 and (4). | |||||||||
| CON-LOG-REQ-MP12 | REQUIRED |
Role / Attribute ID | The container and container application MUST log the Role or Attribute ID of the Principal identity of the entity accessing the requested service or API. Note: The group ID is in reference to a Role or Attribute as part of a RBAC or ABAC scheme. RLH: I recommend we change this field name to Role/Attribute name as there may be potential for confusion since Group ID is overloaded term. | N/A | ||||||||
| CON-LOG-REQ- | MP01Do we need all three of these container fields. Seems redundant. Wouldn'tMP03 | Container Image Hash | Suffice?Container ID | Container ID; unique for life time of the system, for the instance, once container is killed, this ID goes away | CON-LOG-REQ-MP02 | Container Name | Container Name; unique name of the image ( webserver, FW, DCAE01) | CON-LOG-REQ-MP03 | Container Image Hash | Container Image Name (Hash); Image name and Hash ( container lifecycle events | ||
| CON-LOG-REQ-MP04 | REQUIRED | Log Level | The container and container application MUST use an appropriately configured logging level that can be changed dynamically. The intention of this field is to not cause performance degradation via excessive logging. The value of this field should be on of the following: "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" The verbosity of the logging increases from left to right. How do we synchronize these levels across projects and what the logging API they are using? | (4) | ||||||||
| CON-SEC-LOG-11 | REQUIRED | Severity | The container and container application MUST log the severity level of a processing event. This is to be used for error reporting in internal processing in conjunction with the status code field. The value of this field MUST Image Name (Hash); Image name and Hash ( container lifecycle events | |||||||||
| CON-LOG-REQ-MP11 | Image ID Image Hash | The container MUST log the image ID and layer hash Upon review I was uncertain on what this recommendation was. Going to the references to the right there is nothing about an Image ID. I believe this to be a duplicate of Container Image Hash. Recommend to remove. | T1036, T1525 | |||||||||
| CON-LOG-REQ-MP01 | Container ID | The container Container ID; unique for life time of the system, for the instance, once container is killed, this ID goes away | ||||||||||
| CON-LOG-REQ-MP02 | Container Name | Container Name; unique name of the image ( webserver, FW, DCAE01) | ||||||||||
| CON-LOG-REQ-MP04 | REQUIRED | Log Level | The container and container application MUST use an appropriately configured logging level that can be changed dynamically. The intention of this field is to not cause performance degradation via excessive logging. The value of this field should be on of the following: | {" | NONEFATAL", " | MINORERROR", " | MAJORWARN", " | CRITICIAL"} Optional: 0, 1, 2, 3 see Nagios monitoring/alerting for specifics/details.INFO", "DEBUG", "TRACE" The verbosity of the logging increases from left to right. How do we synchronize these levels across projects and what the logging API they are using? | (4) | |||
| CON-SEC-LOG-REQ-MP11
| REQUIRED | Severity | The container and container application MUST log the image ID and layer hash Upon review I was uncertain on what this recommendation was. Going to the references to the right there is nothing about an Image ID. I believe this to be a duplicate of Container Image Hash. Recommend to remove. severity level of a processing event. This is to be used for error reporting in internal processing in conjunction with the status code field. The value of this field MUST be on of the following: {"NONE", "MINOR", "MAJOR", "CRITICIAL"} Optional: 0, 1, 2, 3 see Nagios monitoring/alerting for specifics/details. | (4) | ||||||||
| CON-LOG-REQ-MP13 | REQUIRED | RequestID | The container and container application MUST log RequestID A requestID is a universally unique value that identifies a single transaction request within the ONAP platform. Its value is conformant to RFC4122 UUID. This value is readily and easily obtained in most programming environments. The requestID value is passed using a REST API from one ONAP component to another. See (4) for extensive detail on this field. | (4) |
...