...
- Application: This refers to runtime containerized application
- Container: This refers to the container platform and orchestration software that ONAP interfaces with. For example, docker and K8S.
- Infrastructure: This refers to any physical, virtualization, element managers, and/or operating system components.
Our immediate focus is on defining what logs should be generated and how they should be collected for ONAP Components only. This is indicated as Phase 1 in the table below. Ultimately we want to create a POC then have approved as a Best Practice then as a Global Requirement.
| Phase | 1 (ONAP Based Events) | 2 (events from services orchestrated by ONAP) | ||||
|---|---|---|---|---|---|---|
| ONAP Components (e.g., DCAE, SDC, etc.) | Services (xNF, xApps) | |||||
| Lifecycle | Application | Container (k8s and Docker) | Infrastructure | Application | Container | Infrastructure |
| Generation | X | X | ||||
| Collection | X | X | ||||
| Monitoring | ||||||
| Alerting | ||||||
| Response | P | P | X | X | ||
Key: X: Indicates what is in-scope for ONAP | ||||||
...
Phase 2 will focus on logs of events from services orchestrated by ONAP
Notes
At a high level there are 5 broad categories in regards to Security Event Management (Or is this a Security Event Lifecycle?)
Generation
- Within ONAP both containers and infrastructure generate raw data that have security concerns.
- Containers (xNFs)
- Infrastructure (Docker and K8S)
- There are a set of logs that both Docker and K8S generate that relate to security monitoring.
- That is documented here: https://wiki.onap.org/download/attachments/103419713/Logging%20-%20ATTACK%20to%20SECCOM_v3.pptx?version=1&modificationDate=1622560207000&api=v2
These below refer to the ONAP (Application and Infrastructure Columns)
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Further refinement for this document only the keywords REQUIRED, RECOMMENDED and OPTIONAL will be used.
PLEASE CONSIDER THE BELOW THE MOST UP TO DATE LIST. While transferring data here from various spreadsheets and PPTs there were several errors corrected (duplicates, wrong ID number, wrong VNF REQ Numbers).
Logging Practice Requirements (Proposed)
Security Logging Best Practice
Security Event Generation Requirements (Proposed)
Metadata for Security Events (Proposed)
Steps for approval: POC → Best Practice → Global Requirement
Best Practices and Risk Analysis for an Operator
...