Versions Compared

Old Version 94

changes.mady.by.user Robert Heinemann

Saved on

compared with

New Version 95

changes.mady.by.user Robert Heinemann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a working document.

The below matrix is a representation of the log management categories (lifecycle) in relation to the two categories of run-time logs (logs of ONAP events, logs of events from services orchestrated by ONAP).

Team Members

...

  • Review Requirements list Amy put together
  • Muddasar to provide links to NIST security logging standards: 

    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

  • Fabian: Initial investigation of ONAP responding to security events.
  • Bob to provide Orchestration logging events
  • Log Template as suggested by Chakir on Tuesday call ( Apache 2 log template as an example.  Can we review work from Logging enhancement project?

...

IDTypeDescriptionReference

CON-LOG-REQ-1 

REQUIREDThe container and container application MUST log successful and unsuccessful authentication attempts, e.g., authentication associated with a transaction, authentication to create a session, authentication to assume elevated privilege.R-54520

CON-LOG-REQ-2 


The container and container application MUST log logoffs.R-55478

CON-LOG-REQ-3 


The container and container application MUST log starting and stopping of security logging.R-13344

CON-LOG-REQ-4 


The container and container application MUST log success and unsuccessful creation, removal, or change to the inherent privilege level of users.R-07617

CON-LOG-REQ-5 


The container and container application MUST log connections to the network listeners of the container. R-94525
CON-LOG-REQ-6
The container and container application MUST log the addition, deletion or modification of files in the container.
CON-LOG-REQ-MP05
The container MUST log lifecycle events
CON-LOG-REQ-MP07
Container administration services activities and executed commands MUST be logged.  (e.g., Build requests, Runtime commands) (Available in docker Daemon Logs)T1609, T1612
CON-LOG-REQ-MP08
The container MUST log API calls (such as: syscalls, those that deploy containers, Discovery API). (Available in docker daemon log).T1610, T1204, T1611, T1068, T1552, T1613, T1525
CON-LOG-REQ-MP09
The container MUST log creation of scheduled jobs in containers. ( Available at the K8S level)T1053
CON-LOG-REQ-MP10
Image registry events MUST be logged (e.g., additions)T1204
CON-LOG-REQ-MP06
Log anonymous requests





Steps for approval: POC → Best Practice → Global Requirement

Metadata for Security Events (Proposed)

...

Security Log Structure

Date / Time

Log Level

Transaction ID

Status Code

Severity

Container Data

Protocol

Service / Program Name

Log Message

Image Tag / Name

Image Digest

ID

Name

Principal ID

Role / Attribute ID

PUT LOG EXAMPLE HERE

Host or Endpoint ID?  Multiple attributes needed or single?

What information should the developer should provide or should be provided for them?

What is the information the coder needs to provide to the library?

The library needs to generate the missing data (log helper)

What fields are generated dynamically by the logging helper vs what fields are provided by the developer?

Add Payload (Message) field to diagram

Minimum fields updated by developer.  (Log Level, Transaction ID, Status Code, Severity, Message)

Provided by logging service( ? ); ONAP Has a logging framework; 

HIGH LEVEL STEPS

POC → Best Practice → Global Requirement

Table

NOTE:
  • Grey boxes indicate that a (yet to be determined) container logger function / service will provide.  
  • White boxes indicate the developer of a container or container application will provide.

Example:

From Fabian: 

2021-09-10T14:50:37.929Z|d855a2c6-c58f-4d8d-b199-3382d11504d2|http-nio-8083-exec-5|/manage/health|kube-probe/1.19|||DEBUG|500||Headers : X-Content-Type-Options:nos

Security Log Field Definitions

Type Synonyms:

REQUIRED: SHALL OR MUST
RECOMMENDED:  SHOULD
OPTIONAL: MAY

...

IDTypeField NameDescriptionReference

CON-SEC-LOG-01

CON-LOG-REQ-7

REQUIREDDate and Time

The container and container application MUST log the field “date/time” in the security audit logs. 

The value should be represented in UTC and formatted per ISO 8601, such as “2015-06-03T13:21:58+00:00”. The time should be shown with the maximum resolution available to the logging component (e.g., milliseconds, microseconds) by including the appropriate number of decimal digits. For example, when millisecond precision is available, the date-time value would be presented as, as “2015-06-03T13:21:58.340+00:00”.

R-97445

v1.3 Spec

CON-LOG-REQ-MP04REQUIREDLog Level

The container and container application MUST use an appropriately configured logging level that can be changed dynamically.

The intention of this field is to not cause performance degradation via excessive logging. The value of this field should be on of the following:

"FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE"

The verbosity of the logging increases from left to right.

How do we synchronize these levels across projects and what the logging API they are using?

R-28168

(4)

CON-LOG-REQ-MP13REQUIREDRequestID

Transaction IDThe container and container application MUST log RequestID

The container and container application MUST log Transaction ID

A requestID is a universally unique value that identifies a single transaction request within the ONAP platform. Its value is conformant to RFC4122 UUID. This value is readily and easily obtained in most programming environments. The requestID value is passed using a REST API from one ONAP component to another See (4) for extensive detail on this field. 

v1.3 Spec

(4)

CON-LOG-REQ-10

REQUIREDStatus Code

The container and container application MUST log a "status code" in the security audit logs. 

This field indicates the high level status for transactional or sub operational events.  It must be one of the following values:

  • COMPLETE when the request is successful
  • ERROR when there is a failure
  • INPROGRESS for states between the COMPLETE and ERROR.

R-15325

v1.3 Spec

(4)

CON-SEC-LOG-11REQUIREDSeverity

The container and container application MUST log the severity level of a processing event.  

This is to be used for error reporting in internal processing in conjunction with the status code field. 

The value of this field MUST be on of the following:

{"NONE", "MINOR", "MAJOR", "CRITICIAL"} 

Optional: 0, 1, 2, 3 see Nagios monitoring/alerting for specifics/details.

(4)
CON-LOG-REQ-MP03
Container Image Name / Tag

The container and container application MUST log the Container Image Name/Tag.

The image name/tag is as returned by the docker images command.

NOTE:  Images are not required to have tags


CON-LOG-REQ-MP11

Container Image Digest

The container and container application MUST log the container image digest.

The digest is a cryptographic digest as returned by the docker images --digests command.


T1036, T1525
CON-LOG-REQ-MP01

Container ID

The container and container application MUST log the container ID.

The container ID is the same that is returned by the docker ps -q command.

NOTE: The container ID is unique for life time of the the container instance. Once the container is killed, this ID goes away.


CON-LOG-REQ-MP02
Container Name

The container and container application MUST log  the container name.

This is the unique name of the image ( webserver, FW, DCAE01).  This is returned by the docker ps command.


CON-LOG-REQ-11REQUIREDPrincipal ID

The container and container application MUST log the Principal identity of a requestor in the security audit logs. 

This field should contain the identification name of the client application (user agent, client id, user, user id, login ID, non-person entity (NPE), Token,  etc.) of the entity accessing or invoking the service or API (Service / Program Name).

This field should contain the identification of the entity (user agent, client id, user, user id, login ID, non-person entity (NPE), Token,  etc.)  that made the request of the service or API indicated in the Service/Program Name field. For a serving API that is authenticating the request, this should be the authenticated username or equivalent.

There are not a concrete set of values for this field.  The developer should keep the following set of guidelines when determining what value to use or set for this field.

  • Use the short name of your component, e.g. xyzdriver
  • Values should be human-readable. 
  • Values should be fine-grained enough to disambiguate subcomponents where it's likely to matter. This is subjective. 
  • Be consistent: your component should ALWAYS report same value. 

REF: See PartnerName in v1.3 and (4).

R-89474


v1.3 Spec

CON-LOG-REQ-MP12REQUIRED

Group ID

Role / Attribute ID

The container and container application MUST log the Role or Attribute ID of the Principal identity of the entity accessing the requested service or API.

Note: The group ID is in reference to a Role or Attribute as part of a RBAC or ABAC scheme.RLH: I recommend we change this field name to Role/Attribute name as there may be potential for confusion since Group ID is overloaded term. 

N/A

CON-LOG-REQ-8

REQUIREDProtocol

The container and container application MUST log the field “protocol” in the security audit logs.

This refers to the communication mechanism for a request.  The value of this field should be representative of the OSI application layer  protocol. This is represented as a decimal formatted TCP/IP port number.

R-25547

CON-LOG-REQ-9

REQUIREDService / Program Name

The container and container application MUST log the field “service or program used for access” in the security audit logs.

This intention is to capture the service name endpoint or an externally advertised API invoked, e.g., where are you connecting to. This is represented as a URI or URL. 

R-06413

v1.3 Spec


(4)

...