Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Preferred option to be vlidated by Krzysztof and confirmed by e-mail. After to be presented to TSC to become a best practice.

To be further elaborated.

Jira No
SummaryDescriptionStatusSolutionRoot pods discussion

Change in Consul recently submitted. There are 2 ways to ensure that process is not running as root in the container:

  • Docker deamon switch the user (no need to trust the content of the container) – preferred option
  • Docker deamon starts as root and then change (need to trust that container content is valid)
ongoing

SECCOM requirements for Honolulu

Looking for junior profile to execute Java upgrades. Orange Labs Poland and LFN contacted. 

ongoingHarbor update

Item solved by e-mail exchange.

doneSecrets management update

No feedback yet from Natacha for different types of secrets existing in ONAP discussed on 10th of November.

doneFlow matrix

Fabian had a meeting with Sebatien..

Fabian explores Celium.

ongoingNo feedback from this meeting - waiting for a feedback from Sebasien.Quality of the codePossibility to refuse the commit. There are quality issues in ONAP but we get a lot of push back. ongoingMeeting with Jessica to be planned. for pipeline creation.CII Dashboard

Progress was shared with the last PTLs call.

doneVersions recommended for Honolulu releaseTests checks on run time. Java 11.0.6 version selected as recommended. ongoingProtocols and encryption finding sfrom Sonar

5 types of findings, 2 of them serious:

130+ projects disabled validation of server certificate or validating host name in the certificate- ignoring part of basic TLS protocol.

38 projects have problem with the way how they use encryption algorythms - broken ones used (MD5 or SHA-1). 

Poor practices in identity management.

SSL selected instead of TLS - easy to fix.

Best practice to be formalized - Amy to provide modified wording for Cryptographic Algorithms and Protocols. Krzysztof will have later today a meeting with Chaker and David.

SECCOM elections – call for candidates!

Together with Amy we submit our candidatures but other candidates are welcome.

Elections next week.

ongoingE-mail with call for candidates to be sent to SECCOM distribution list. 

SECCOM Inputs for Guilin release notes

Following last PTLs call, we should provide SECCOM inputs.

Krzysztof already updated all the Jira tasks related to him: logs management, passwords removal, not running as root. Copy & paste of waivers list is expected.

No update from CII badging by Tony.

Packages upgrades by Amy.

For Java and Python upgrades - Jira tickets were updated and will be provided in the release notes.

ongoingUpdate to be provided with patch to security release notes by Krzysztof.

Global requirements vs. best practices in Honolulu

Next steps: we should present to TSC our candidates from best practices and rephrase them.  Sample: requirement: project should upgrade their vulnerable packages → best practice: any ONAP component should not use packages with known vulnerabilities, so all new components that will be added to ONAP in Honolulu release will need to meet them.

And then we need to propose to TSC how we want to evolve: those projects should upgrade those packages.  

Not obeying new rules = not shipping of the new container.

Global requirement per release has to be approved at M1.

Best practice can be approved any time and is valid forever. All new code developed next day need to follow this best practice. At least 1 week before M1 best practice may become a global requirement.

ongoing

List of the requirements we would like to become a global requirement from best practice to be delivered to TSC on 10th of December. 

TSC first approves best practices.


Container as root vs. as privilige

Huge difference between privilige container and container running as root.

Container running as root = processes that start within this container start as root but with drop capabilities (with most of the capabilities dropped).

When container starts as priviliged = it is sharing certain resources with the host system namespace with is a way bigger security issue than starting containers as root.

ongoing

To be discussed at the next SECCOM.



OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 24th 8th OF NOVEMBERDECEMBER'20. 





Recording:

View file
name2020-12-01_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2020-12-01 ONAP Security Meeting - AgendaAndMinutes.pptx
height150