Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a working document.

The below matrix is a representation of the log management categories (lifecycle) in relation to the two categories of run-time logs (logs of ONAP events, logs of events from services orchestrated by ONAP).

Team Members

...

  • Review Requirements list Amy put together
  • Muddasar to provide links to NIST security logging standards: 

    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

  • Fabian: Initial investigation of ONAP responding to security events.
  • Bob to provide Orchestration logging events
  • Log Template as suggested by Chakir on Tuesday call ( Apache 2 log template as an example.  Can we review work from Logging enhancement project?

...

Logging Practice Requirements (Proposed)

Security Logging Best Practice

IDTypeDescriptionReference

CON-LOG-REQ-19

REQUIRED

The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time.

Sync time source The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time. 

R-629534
CON-LOG-REQ-20REQUIRED The container and container application MUST use the STDOUT for security logs collection  REQ-374
CON-LOG-REQ-F1REQUIRED Using systems and applications with native logging functionality is essential. This function MUST be taken into account during any design and development process.
CON-LOG-REQ-F6REQUIREDThe container application SHALL contextualize events (log enrichment) e.g: Timestamp, IP address having generated the logs, user concerned, functionality concerned, error of application, detail of the error, all access to a resource, success of application, etc…
CON-LOG-REQ-13REQUIRED The container MUST have security logging for the container and container application active from initialization. R-84160
CON-LOG-REQ-15REQUIRED The container MUST detect when its security audit log storage medium is approaching capacity (configurable) and issue an alarm. R-63330
CON-LOG-REQ-F9REQUIRED An event log rotation policy MUST be formalized and implemented on all logging system equipment.
CON-LOG-REQ-18REQUIRED The container MUST support the storage of security audit logs for a configurable period of time. R-54816
CON-LOG-REQ-16REQUIRED The container MUST support the capability of online storage of security audit logs. R-41252
CON-LOG-REQ-F8REQUIRED A disk partition MUST be dedicated to storing event logs on the equipment that generates them
CON-LOG-REQ-F7REQUIRED Logs MUST be automatically exported to a different physical machine than the one that generated them
CON-LOG-REQ-F2REQUIRED It is recommended that no processing MUST be performed on the logs before they are transferred. (no classification, it is not the behavior of an application to define the categories of an event) Note: this needs to be converted into a requirement
CON-LOG-REQ-F5RECOMMENDEDIt is recommended the container application SHOULD  adopt a tree structure for the storage of event logs.
CON-LOG-REQ-14REQUIRED The container MUST protect all security audit logs by standard operating system access control mechanisms, by sending to a remote system, or by encryption. R-56920

CON-LOG-REQ-F4

CON-LOG-REQ-F10

REQUIRED Access to logs MUST be write restricted to a limited number of accounts with a need to know
CON-LOG-REQ-21RECOMMENDED

 The container SHOULD provide the capability of maintaining the integrity of its static files using a cryptographic method. 

(Fabian) Propose to remove because this is a hardening requirement, not a logging requirement

(Bob) Instead of removing this is now in the Best Practices category and we can make it a recommendation.

R-465236

CON-LOG-REQ-12

CON-LOG-REQ-XX

REQUIRED

The container and container application MUST NOT include an authentication credential, e.g., password, in the security audit logs, even if encrypted. 

The container and container application MUST NOT include a sensitive information in the log

R-04982
CON-LOG-REQ-17REQUIRED The container MUST generate security audit logs that can be sent to Security Analytics Tools for analysis. R-04492 












...


Docker PS
CONTAINER ID: 5c6768cf2c81 
IMAGE: onap/sdnc-image:latest 


Security Log Field Definitions

Type Synonyms:

REQUIRED: SHALL OR MUST
RECOMMENDED:  SHOULD
OPTIONAL: MAY

...