Versions Compared

Old Version 2

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Fabian shared his presentation:

2 types of basic image hardening. It was done by Morgan (for both java and python).

PoCs with SPC (brand news project) and Policy (project which already took efforts to integrate with logging and uses stdout aready!) proposed to move forward.

Next steps 

Deploy logging architecture

Analyze events linked to threats

Morgan to be consulted with standard images.

To be confirmed if Policy uses a standard image - not yet but planned to use in Honolulu release.

Jira No
SummaryDescriptionStatusSolutionLFN event

2 presentations provided:

  • packages upgrades (Amy, Vijay and  Pawel)
  • CII Badging (Tony)

Feedback from Kenny on maintaining historical data on CII Badging answers - done by Tony.

done

Slides on SECCOM requirements to be presented at the next Requirements Subcommittee meeting on Monday February 15th. 

POM file version to be provided to PTLs.

Exception process with deadline before RC0.

ONAP Log security managementongoing

Anuket - new project

Update from Samuli:

Anuket and XGVela: define common PaaS services. Anuket: the basic PaaS services, XGVela the telco specific.
Presentation on Feb 3rd : “Beyond IaaS/CaaS for Cloud Infrastructure in RM”; Walter Kozlowski, Petar Torre, Pankaj Goyal, ..  Slides: https://wiki.lfnetworking.org/download/attachments/50528563/Platform_Services_Beyond_IaaS_CaaS.pdf?version=2&modificationDate=1612116560000&api=v2 .
Minutes, & assume also link to recording will be here: https://wiki.lfnetworking.org/x/MwEDAw 
Summary:
Anuket (merge of CNTT and OPNFV) aims to define common PaaS services for telco CNF platforms!
There was discussion of what services could those be (see a draft/example list on slide 6).
There was also discussion on how deep Anuket can/shall go, see slide 9. Eg: specify only the service type, or the concrete CNCF service like Prometheus, also the version, also the usage ie ‘common data model’ like written on slide 9.
Motivation: to avoid operators to have a lot of integration work of CNFs. Eg: CNFs are using various logging.

SECCOM slides for Requirements Subcommittee

-https://lf-onap.atlassian.net/wiki/display/DW/Template+to+be+fulfilled+per+each+requirement

As we missed last session on February 15th to present slide deck, we will try to book slot on March 1st. 

ongoingE-mail to be sent to Alla to check if we could present on March 1st. 

Whitesource scans of SPC vs. Nexus-IQ

Results for CPS scans were discussed for both Whitesource and Nexus-IQ. 

Trivi at the end of image creation - would it allow for this issue identification?

Fabian will do the scans with Trivi for CPS repo and share the results.

ongoing

Exchanges with Toine shall be done by e-mail on SCA scan finding.

Whitesource could be contacted to figure out transitive dependency in their GUI.


ODL customized repo for ONAPVersion RC1 and RC2 has some issue, so finally RC3 shall be used as an ultimate one for Honolulu release.ongoingResults to be compared between prevoius release and RC1 and RC1 and RC3

UI from Morgan presentation

Scans for jabva and Python and each container - with color coding. https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/02-11-2021_22-02/security/versions/versions/

A lot of project not using a standard image that Integration team formed. It is a good thing to be created. We need to get projects moving standard images.

Maybe Alpine is not enough and Debian or Ubuntu should be added?

Orange ran Trivy against those 2 images and only 2 medium CVEs for each of them identified.

We should focus on MVP. - to be discussed next week.

ongoing

It would be good to know which projects are uding standard image and which customized and know the rationale behind.

Michal to be contacted for SDNC which uses for one container (SDNC-DMaaP) still Python 2.7.

Orange MVP to be presented by Fabian.


Logs management

Policy uses stdout for logs collection.

3 tickets were opened regarding logs:

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/02-11-2021_22-02/security/versions/versions/
AAI – LOG : https://jira.onap.org/browse/AAI-3273
SO – LOG : https://jira.onap.org/browse/SO-3531
AWX contrib : https://jira.onap.org/browse/INT-1858

Fabian continues to check other components for logging

ongoingToine to be asked by Amy on stdout usage.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 23rd OF FEBRUARY'21. 

Logs requirements by Amy

MVP by Fabian

Trivy scan results by Fabian.




Recording:

View file
name2021-02-16_SECCOM_week.mp4
height150

...