Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Status:

...

<< list the new capabilities that were introduced in this release, or a hot-link to the key features. New sub-chapter per release, as per a release notes document >> 

6. Security Conformance 

  • ONAP Component API and data security conformance 
    • Describe the component Service Mesh conformance / plan for secure communications, routing, authentication and authorization configurations
      • Does the component have AAF dependencies? If so, describe the current dependencies and a migration plan to remove the dependancies
      • How does the component support authentication and authorization of its clients (Humans, other applications)?
    • Describe the component data protection
      • Data storage location/mechanism
      • Data protection plan, such as data at rest, data-level access control, data in transit, others
      • User sensitive data handling
  • Describe the component / container hardening
    • The component must run as non-root-based users. Does the component use non-root-access only? Otherwise, describe the reasons and non-root-access support plans
    • Does the component container require privilege access/right? If so, describe the reasons and migration plans
    • Is the component image signed digitally for integrity? (TBD)
    • Does the component use the basic image to conform to the global requirement
      Jira Legacy
      serverSystem Jira
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-1073
    • Does the component follow the K8s hardening guide? e.g., from NSA, https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF 
  • Describe the component logging conformance
    • Does the component conform to the Log field standards best practice,
      Jira Legacy
      serverSystem Jira
      serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
      keyREQ-1072
      ? If not, please describe the reasons and support plans.
    • Does the component exclude user sensitive data (e.g., password, private key, other credentials) from logging? If not, please describe the reasons and support plans.
    • Does the component support the Logging destination STDOUT / STDERR conformance? If not, please describe the reasons and support plans.
  • Documentation for the component security
    • Describe the component security architecture and conformance in the document.


7. Document Changes

8. References

...