Page Comparison

About the requirement:

[REQ-1072] SECURITY LOGS FIELDS – full PoC with CPS in Kohn and then GR candidate for London.

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

• SECCOM topics proposal:

  • SECCOM retrospectives:
    • Log4j fix implementation in Istanbul Maintenance Release
    • Jakarta security status update
  • Kohnsecuritygoals:
    • Global Requirements and Best Practices
    • Security PoCs:
    • logging req
    • code quality
    • service mesh
  • SBOM enablement and maintenance, and packaging
  • Waiver policy update
  • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.
  • On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony.
  • Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian?
  • Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.

Remaining topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

Fabian to check if could contribute on how qualify software to be deployed, what duediligence due diligence was performed. 

Follow-up with Kenny to be done.

• ONAP unmaintained and deprecated functions – Amy – presentation of updated version at PTL yesterday
• RACI matrix by Muddasar – waitig for a feedback from PTLs and Chaker
• Update on failing security tests below:
• Synch with OOM:
  • Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/18_06-28/ and
  • Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-04/18_00-27/ latest run by Michal for the weekend
  • Failing security tests:
  • fix nonssl_endpoints in Jakarta release:

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

• • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104 – in progress

• • fix node ports in Jakarta release

1.SDC-4002 - open

2.SDNC-1703 - open 

3.SO-3941 - open

Tony presented 5Y project review – CPS volunteered to be PoC and review questionaire.

Amy presented to ArchCom and to present to TSC 19 May. 12 May TSC call covered a release milestone.

Good exchanges with Chaker, Byung:

• we should make dependency on OOM before removing Jenkins jobs (including projects without PTLs).
• change to repo to be verified, if no change it means repo was not touched and to be validated by Architecture Subcommittee
• Repo status from Fiacra: https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2022-05/11_02-33/index-versions.html

Updated presentation is available below.

Amy to present at 19 May TSC call.

Outline for the yellow to be added.

Update on failing security tests below:

• • Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/18_06-28/ and
  • Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-05/08_13-23/ latest run by Michal - only 29% for security tests covera
  • Failing security tests:
  • fix nonssl_endpoints in Jakarta release:

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

• • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104 – in progress

• • fix node ports in Jakarta release

1.SDC-4002 - open

2.SDNC-1703 - open 

3.SO-3941 - open

• https://gerrit.onap.org/r/c/ci-management/+/128405

Adoption issue requires manual manipulation of workspace flag.

Next step to get PTL onboard and set target date when LF IT would implement ONAP projects

-5/17: no change in status with LFIT

• IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP – info from Andrew G. „It's possible but non-trivial at present. I'm working on trying to make a case for making this easier to do as I can get 2FA turned on, but then if people need to change things related to it it would require helpdesk intervention with no self-service. Basically, our current setup is user hostile and could be made significantly better.”
• IT-23829 Hardening LFN hosted ONAP project web sites – done – info from Andrew G. All 3 Nexus systems for ONAP are now reporting grade A. We'll be taking these changes to our other managed Nexus systems as well, so thanks for the poke to improve our security posturę. We are still working on strengthening the wiki and jira scores. They're already getting an A but both of them are showing some items that could be made stronger.”

Ajay (Ericsson) is working on the connection between FluntBit and ElasticSearch. He is leaving Ericsson end of this week, so some of our OOM team members have key learning sessions with him. I told Ajay to check in his code. We plan to report our log PoC progress/demo to SECCOM sometime soon. That is the plan.

Prototype for logging fields.

5/17 Update:

• OOM: Logs are flowing from ONAP container applications to ElasticSearch. Logs are visible through Kibana reports. File sizes are very large (4Gig in 24hrs); significant trace data in the logs
• Next steps: investigate the size of log files: metadata dominates data size; FluentBit may be adding information; file size not unreasonable for production system
• Next Steps: demonstrate to SECCOM, PTL, Architecture, TSC
• Byung to upload Kibana report to meeting minutes
• 5/24: Andrew Lamb will present results to SECCOM

We shall have Jira issues for all technical dept issues to track it.

cathegories to be covered: software, documentation nad SBOM.

Waiting for a feedback from Alex.

What PTLs consider as technical debt?

Image Added

Reviewing technical debt related Jira items in projects backlog. Muddasar to review backlogs per project.

One slide to be prepared and then shared with PTLs and architecture subcommitee.

SECCOM MEETING CALL WILL BE HELD ON 24th 7th OF MAYJune'22. 

Review of technical debt slides with special focus on 2 last ones.