Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Amy made w Wiki. 

Some the part of docker tests need to be part of Jenkins jobs. It might be thta we will be responsible for the scripts and OOM team to get it into the place (intehrated into the Jenkins build). 

Sylvain is acting PTL in OOM.

For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification.

We should come back to Architecture Subcommittee with a proposal for Service Mesh and once approved we should apprach TSC for a recommendation.

To approach David to check who would open Jira tickets per project for package upgrades.

Jira No
SummaryDescriptionStatusSolutionLatest feedback received from Integration teamVirtual ONAP event
  • SECCOM Guilin security requirements update - Paweł
  • Holistic view of ONAP security – Krzysztof/Amy
    • Access control
    • Storing permission
    • Hardening
    • Logging 
    • Gaps identified
  • Akraino reference for security documentation - Amy
  • CNTT alignment meeting – to be consulted with Samuli
  • Service Mesh – analysis and then with Architecture Subcommittee - Krzysztof
  • Logs management evolution in ONAP - Pawel
  • VNF security requirements - Amy
  • Package upgrade strategy – Amy/Pawel
  • Communication matrix - Natacha
  • Password removal continued and no hardcoded passwords for a new code - Krzysztof
  • NEW: CMPv2 in Guilin release – Pawel B

PTLs meeting update

PTLs meeting (held on April 13th) update:

-CLI closed 3 http ports and one of the CVEs and running as root

-A&AI should Close 15 issues

-AAF – still one issue open

-Optimization – 1 running as root – under fix - submitted

-MUSIC – https port exposed – delivered 

-Code coverage – 5 exceptions not reaching 55% (all with waiver granted: AAF no resouces for side car, Policy engine will be excluded next release, OOF – no resources)

-API documentation presentation by Andy Mayer

Scorecard for requirement req-223

David proposed to descope this requirement.

Progress is minor but SECCOM porposes to keep this requirement as in scope.

Tony - to update scoorecard with green status and comment on minor but positive direction

New Notary v2 project - address container image signing

Tero shared info about this new project

In general it aims at validation of container images.

Notary v2 use  cases: https://github.com/notaryproject/requirements/blob/master/scenarios.md

Industry telcom part is missing as contributor.

According to lastest ETSI NFV specs containers could be also signed by the operator.

OCI artefacts project aiming for modyfying image registry so that helm charts could be stored.




TSC logging presentation – discussion point

20_04_30_ONAPLoggingGuilin_V1.pptxONAP project use of Logging

TSC decision is needed, so proposal to be sent to TSC.

Comments collection by  29th of April COB.


Hardcoding certificates in docker images

PKI - public certificate that is signed by the Certificate Authority.

AAF contains hardcoded trust store. According to Krzysztof this is a security issue as root CA in ONAP is already compromised. By default none of the ONAP images should trust that CA. Only If user is deploying ONAP for testing, in lab environemnt, it is fine to use that. 

A lot of components use AAF hardcoded certificate.

Trust store that is in the AAF agent image should be removed from that image and placed in the OOM as a resource and delivered in the image at the deployment time. 







We need to have an agreement from projects. This proposal to be presented at the PTLs call.


vF2F summary

We discussed about removing passwords in Guilin release, On eof the issues is removing hardcoded certificates and obviously passwords to unclock those certificates. We decied continue using AAF as an official way of retrieveing certificates. but we strongly recommen using of common template intead of doing helm chart on your own so that is it much easier to switch taht in the future, if we decide to do so. 

Good perception of package upgrade strategy. Jira tickets under creation.

CMPv2: several mechanisms to retrieve certificats (one internal and one external). Planning to integrated CMPv2 with DCAE. CErtificate update use case will be added. Enhancements to the Client like configurable format of the output artefacts: P12 and time format support.

SDNC update for 3 patches merge on CMPv2.

CNTT allignment meeting. CIS benchmark test shared.








Jira tickets under creation.




Adam to help Gerard.


Synch meeting with Requirements Subcommittee 

Synch meeting with Requirements Subcommittee – we missed the one on 27th of April to present SECCOM requirements for Guilin release – next meeting is sccheduled on May 11th. CMPv2 requirements will be presented by Pawel on to the Requirements Subcommittee. 


CII Badging requirement 

Jira tickets to be created info to be shared with Krzysztof.





 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 28th 5th OF APRILMAY'20 as on 21st we have vF2F meetings.



View file
name2020-04-1428_SECCOM_week.mp4
height150

View file
name2020-04-14 28 ONAP Security Meeting - AgendaAndMinutes.pptx
height150

...