Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Presentation provided by Muddasar:

El Alto was first release focusing on technical debt and it was a shorter release.

Jira No
SummaryDescriptionStatusSolution


Log PoC results presentation by Andrew (andrew.a.lamb@est.tec).

Image Added

Fluentbit sends logs to Elasticsearch and Kibana retrieves it from there.

done

About the requirement:

[REQ-1072] SECURITY LOGS FIELDS – full PoC with CPS in Kohn and then GR candidate for London.


LFN Developer & Testing Forum

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

started


  • SECCOM topics proposal:

    • SECCOM retrospectives:
      • Log4j fix implementation in Istanbul Maintenance Release
      • Jakarta security status update
    • Kohnsecuritygoals:
      • Global Requirements and Best Practices
      • Security PoCs:
      • logging req
      • code quality
      • service mesh
    • SBOM enablement and maintenance, and packaging
    • Waiver policy update
    • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.
    • On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony.
    • Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian?
    • Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.
started

Remaining topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

Fabian to check if could contribute on how qualify software to be deployed, what duediligence due diligence was performed. 

Follow-up with Kenny to be done.

OSA documentation update per release Thomas asked for a branch to be created for JakartastartedPawel to be done.Last PTLs meeting – 25th of April

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

    • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104in progress

    • fix node ports in Jakarta release

1.SDC-4002 - open

2.SDNC-1703 - open 

3.SO-3941 - open

Last PTLs meeting – 9th of May

Tony presented 5Y project review – CPS volunteered to be PoC and review questionaire.

ongoingOnce Toine completes, we will review the questionnaire. SECCOM to be updated.Unmaintained Projects

Amy presented to ArchCom and to present to TSC 19 May. 12 May TSC call covered a release milestone.

Good exchanges with Chaker, Byung:

Updated presentation is available below.

Amy to present at 19 May TSC call.

Outline for the yellow to be added.

Update on failing security tests below:

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

    • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104in progress

    • fix node ports in Jakarta release

1.SDC-4002 - open

2.SDNC-1703 - open 

3.SO-3941 - open

Security tests taht are performed to be reviewed for test coverage and identification of missing items.SBOM: patch to add the path for VES 

Adoption issue requires manual manipulation of workspace flag.

Next step to get PTL onboard and set target date when LF IT would implement ONAP projects

-5/17: no change in status with LFIT

ongoing



CPS gold badge 
  • IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP – info from Andrew G. „It's possible but non-trivial at present. I'm working on trying to make a case for making this easier to do as I can get 2FA turned on, but then if people need to change things related to it it would require helpdesk intervention with no self-service. Basically, our current setup is user hostile and could be made significantly better.”
  • IT-23829 Hardening LFN hosted ONAP project web sites – done – info from Andrew G. All 3 Nexus systems for ONAP are now reporting grade A. We'll be taking these changes to our other managed Nexus systems as well, so thanks for the poke to improve our security posturę. We are still working on strengthening the wiki and jira scores. They're already getting an A but both of them are showing some items that could be made stronger.”
ongoinglogging PoC report

Ajay (Ericsson) is working on the connection between FluntBit and ElasticSearch. He is leaving Ericsson end of this week, so some of our OOM team members have key learning sessions with him. I told Ajay to check in his code. We plan to report our log PoC progress/demo to SECCOM sometime soon. That is the plan.

Prototype for logging fields.

5/17 Update:

  • OOM: Logs are flowing from ONAP container applications to ElasticSearch. Logs are visible through Kibana reports. File sizes are very large (4Gig in 24hrs); significant trace data in the logs
  • Next steps: investigate the size of log files: metadata dominates data size; FluentBit may be adding information; file size not unreasonable for production system
  • Next Steps: demonstrate to SECCOM, PTL, Architecture, TSC
  • Byung to upload Kibana report to meeting minutes
  • 5/24: Andrew Lamb will present results to SECCOM
ongoingupdate and demo will be provided - Byung coordinates that.CPS PoCFabian tried to join Seshu. How to move forward: share results of the PoC during PTLs meeting to build awarness, followed by proposal to community. Closed loop for results is a defintely a value for the developer.ongoingOutcomes of CPS PoC to be presented in incoming weeks.NIST 5G Cybersecurity draft documenthttps://csrc.nist.gov/publications/detail/sp/1800-33/draftongoingTechnical debtstarted

We shall have Jira issues for all technical dept issues to track it.

To review last 2 slides ta the next meeting - slides to be shared by Muddasar to SECCOM distribution list - doneSBOM
Jess to reach out LFN IT developer.ongoing

Notary v2 vs. Cosign

cathegories to be covered: software, documentation nad SBOM.

Waiting for a feedback from Alex.


SECCOM requirement to be formed starting with software.

Last TSC meetingPositive feedback from TSC on unmaintained projects


Technical debt

Last 2 slides reviewed again by Muddasar:

Image Added

What PTLs consider as technical debt?

Image Added

started

Reviewing technical debt related Jira items in projects backlog. Muddasar to review backlogs per project.

One slide to be prepared and then shared with PTLs and architecture subcommitee.


SECCOM MEETING CALL WILL BE HELD ON 7th OF June'22. 

Review of technical debt slides with special focus on 2 last ones.







Recording: 

View file
name2022-05-24_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2022-05-
17
24 ONAP Security Meeting - AgendaAndMinutes.pptx
height150