Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Next week conclusion expected.

Jira No
SummaryDescriptionStatusSolutionLogging security discussion by Byung

Node vs. pod level logging update, pods logs visible but not yet with content, kyverno used for policy management.

Meeting with Justin and Maggie scheduled later today by Byung.

ongoingCPS Security review questionaire by Tony

Slot for a meeting with CPS team still under setup.

ongoingSecurity issues raised by External researchers
  • IT-24999 Security Issue - Sensitive information leakage – Fiachra was contacted, still waiting for his feedback
ongoing

Upcoming D&TF 

Please register!

-SECCOM proposals (TBD): https://wiki.lfnetworking.org/display/LN/2023-02+LFN+Developer+Event+Topics+February#id-202302LFNDeveloperEventTopicsFebruary-ONAPTopics 

ongoing

Python PoC by Bob

Environment for testing is available

ORAN SC is actively using Pylog, libraries under testing, 

ongoingWork in progress. Fiachra still to be contacted.

TSC meeting (26th January)

Architecture Subcommittee shared London status: niorttech.net

PTL meeting (30th JanuaryTSC meeting (2nd Fabruary)

TSC agrees in principle to form a special squad or task force to manage changes to projects that lack a PTL.  Participants and details to be determined.

Chaker is leading meeting at the Archcom later today.




PTL meeting (6th Fabruary)

Review of Release Management tasks – started

Looks like there is overlap between Architecture Subcommittee and PTLs tasks.

continued




Unmaintained projects updateupdate 

Jira tickets to be were issued for repos (34!) where no changes for last 12 months done.

Feedback from 2 projects, one of them AAI and Sparky related one.

Projects under OOM removal and from official architecture Wiki page (List from Byung):

• AAF
 • Logging
 • Music
 • VID
 • APPC
 • TOSCA Parser
 • DCA Design Studio
 • CDS (@SDC)
 • Portal

• CLAMP (still shown as a subcomponent)
 • NBI / External API
 • DMAAP / Strimzi
 • “Base components” (e.g. Strimzi Operator, Keycloak, OAuth Proxy, CertMgr, …)

List from Amy:

  • Multicloud
  • VVP
  • OOM
  • AAI
  • SDC
  • SDNC
  • CLI
  • VNFSDK
  • Integration
  • SO
  • VFC



Logging security discussion

Problem of multitenancy and . SDC is doing tenant isolation by adding attribute tenant in logging.

Focus on node level logging.

Namespace is treated as object that would get privileges.

We treat multitenancy in a sense: ONAP running as a Service. 




CPS Security review questionaire by Tony

CPS provided their feedback.

CPS - ONAP Security Review Questionnaire

ongoingWe should now review answers and provide comments by February 21st and CPS team could be invited to SECCOM on February 28th.

Adoption of security practices

TAC meeting will be addressing it on Wedesday.

  • SBOMs autogeneration with full depth
  • signing artifacts - Maven central does not support Sigstore - to be elaborated
  • ORAN Alliance has some signing recommendations already

LF IT is entity that should implement SBOM tools insertion for all LF projects.


NTIA recommendation on integrity protections on SBOMs to be reviewed by Amy


NSA NIST has also just joined ORAN Alliance.Security

logging support by Bob for AI/ML - 25 use cases proposed.https://www.nist.gov/news-events/news/2023/01/nist-joins-alliance-promote-open-wireless-technologies-and-supply-chains
https://www.theregister.com/AMP/2023/01/26/nist_5g_open_ran/




SECCOM MEETING CALL WILL BE HELD ON 14th 21st February 2023. Node vs. pod level logging update by Byung.

CPS Security questionaire review questionaire by TonySECCOM.





Recordings: 

2023-02-07_SECCOM_week.mp4


SECCOM presentation:

2023-02-07 ONAP Security Meeting - AgendaAndMinutes.pptx