Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a working document.

The below matrix is a representation of the log management categories (lifecycle) in relation to the two categories of run-time logs (logs of ONAP events, logs of events from services orchestrated by ONAP).

Team Members

Actions

30 Jul 2021

...

13 Aug 2021

  • Review Requirements list Amy put together
  • Muddasar to provide links to NIST security logging standards: 

    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

  • Fabian: Initial investigation of ONAP responding to security events.
  • Bob to provide Orchestration logging events
  • Log Template as suggested by Chakir on Tuesday call ( Apache 2 log template as an example.  Can we review work from Logging enhancement project?

Key

X: Indicates what is in-scope for ONAP

BP: Indicates a best practice

P: Partially in-scope (group consensus is mixed).

...

Activity Description

The goal of this activity is to develop a set of security requirements, security best practices and define a realistic plan to bring consistent logging across ONAP to support security analytics.

Roadmap


Phase 1Phase 2Phase 3Phase 4Phase 5
ObjectiveStandardize Project Logging for SecurityStandardized Collection of Log DataProject logs are collected to central locationProject Logs are enriched with container metadataAll projects mandated for security logging
ActivitiesDefine and specify fields required to support effective security analyticsWork with projects to write logs to STDOUT
  • Develop  architecture
  • Develop POC
  • Augment architecture to enrich log data with container metadata

OutcomePartial list of fields designated as Best Practice for JakartaDesignated as Global Requirement for JakartaWorking POC and demonstration to ONAP community
  • Working POC
  • Additional log fields set as best practice
  • Initial log fields set as global requirement
  • All security fields set as Global Requirement
  • Logging Architecture set as Global Requirement
TimeframeJ Release - CompleteJ Release - CompleteJ to K Release - 3Q22K Release - 3Q22L Release - 1Q23

Scope of Activity

In an effort to scope the activity the following table was developed.

The below matrix is organized by log lifecycle across ONAP Components and Services.  The components and services are further broken down by application, container and infrastructure.  For the purposed of this activity application, container and infrastructure are defined as follows: 

  • Application: This refers to runtime containerized application
  • Container: This refers to the container platform and orchestration software that ONAP interfaces with.  For example, docker and K8S.
  • Infrastructure: This refers to any physical, virtualization, element managers, and/or operating system components.

From a 2017 AT&T Doc on ONAP Logging

"Application logging” refers to logs written by ONAP component “applications”.

"System/infrastructure logging” refers to the separate/related set of logs produced by software components not developed for ONAP (e.g. DBMS, application container, web servers, ‘middle boxes’, JVM, OS, hypervisor, etc.) that are used in the implementation of these components." (See reference #4).

Scope

...

1

Our immediate focus is on defining what logs should be generated (see Log Generation below) and how they should be collected (see Log Collection below) for ONAP Components only.  This is indicated as Phase 1 in the table below.  Ultimately we want to create a POC then have approved as a Best Practice then as a Global Requirement.

Phase

1 - (ONAP Based Events)

2 (events from services orchestrated by ONAP)


ONAP Components (e.g., DCAE, SDC, etc.)Services (xNF, xApps)
LifecycleApplication

Container(k8s and Docker)

InfrastructureApplicationContainerInfrastructureHow they are generated
GenerationXX



How they are made availableCollectionXX



Monitoring





Alerting





ResponsePP
XX

Phase 1 will focus on logs of ONAP events.

Phase 2 will focus on logs of events from services orchestrated by ONAP

Image Removed

Notes

At a high level there are 5 broad categories in regards to Security Event Management (Or is this a Security Event Lifecycle?)

Generation

These below refer to the ONAP (Application and Infrastructure Columns)

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Further refinement for this document only the keywords REQUIRED, RECOMMENDED and OPTIONAL will be used.

PLEASE CONSIDER THE BELOW THE MOST UP TO DATE LIST.  While transferring data here from various spreadsheets and PPTs there were several errors corrected (duplicates, wrong ID number, wrong VNF REQ Numbers). 

Logging Practice Requirements (Proposed)

...

CON-LOG-REQ-19

...

The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time.

Sync time source The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time. 

...

CON-LOG-REQ-F4

CON-LOG-REQ-F10

...

 The container SHOULD provide the capability of maintaining the integrity of its static files using a cryptographic method. 

(Fabian) Propose to remove because this is a hardening requirement, not a logging requirement

(Bob) Instead of removing this is now in the Best Practices category and we can make it a recommendation.

...

CON-LOG-REQ-12

CON-LOG-REQ-XX

...

The container and container application MUST NOT include an authentication credential, e.g., password, in the security audit logs, even if encrypted. 

The container and container application MUST NOT include a sensitive information in the log

...

Security Event Generation Requirements (Proposed)

REQUIRED, RECOMMENDED and OPTIONAL

...

CON-LOG-REQ-1 

...

CON-LOG-REQ-2 

...

CON-LOG-REQ-3 

...

CON-LOG-REQ-4 

...

CON-LOG-REQ-5 

...

Metadata for Security Events (Proposed)

Type Synonyms:
REQUIRED: SHALL OR MUST
RECOMMENDED:  SHOULD
OPTIONAL: MAY

...

CON-SEC-LOG-01

CON-LOG-REQ-7

...

The container and container application MUST log the field “date/time” in the security audit logs. 

The value should be represented in UTC and formatted per ISO 8601, such as “2015-06-03T13:21:58+00:00”. The time should be shown with the maximum resolution available to the logging component (e.g., milliseconds, microseconds) by including the appropriate number of decimal digits. For example, when millisecond precision is available, the date-time value would be presented as, as “2015-06-03T13:21:58.340+00:00”.

...

R-97445

v1.3 Spec

...

CON-LOG-REQ-8

...

The container and container application MUST log the field “protocol” in the security audit logs.

This refers to the communication mechanism for a request.  The value of this field should be representative of the OSI application layer  protocol. This is represented as a decimal formatted TCP/IP port number.

...

R-25547

...

CON-LOG-REQ-9

...

The container and container application MUST log the field “service or program used for access” in the security audit logs.

This intention is to capture the service name endpoint or an externally advertised API invoked, e.g., where are you connecting to. This is represented as a URI or URL. 

R-06413

v1.3 Spec

(4)

...

CON-LOG-REQ-10

...

The container and container application MUST log a "status code" in the security audit logs. 

This field indicates the high level status for transactional or sub operational events.  It must be one of the following values:

  • COMPLETE when the request is successful
  • ERROR when there is a failure
  • INPROGRESS for states between the COMPLETE and ERROR.

...

R-15325

v1.3 Spec

(4)

...

The container and container application MUST log the Principal identity of a requestor in the security audit logs. 

This field should contain the identification name of the client application (user agent, client id, user, user id, login ID, non-person entity (NPE), Token,  etc.) of the entity accessing or invoking the service or API (Service / Program Name).

This field should contain the identification of the entity (user agent, client id, user, user id, login ID, non-person entity (NPE), Token,  etc.)  that made the request of the service or API indicated in the Service/Program Name field. For a serving API that is authenticating the request, this should be the authenticated username or equivalent.

There are not a concrete set of values for this field.  The developer should keep the following set of guidelines when determining what value to use or set for this field.

  • Use the short name of your component, e.g. xyzdriver
  • Values should be human-readable. 
  • Values should be fine-grained enough to disambiguate subcomponents where it's likely to matter. This is subjective. 
  • Be consistent: your component should ALWAYS report same value. 

REF: See PartnerName in v1.3 and (4).

R-89474

v1.3 Spec

...

Group ID

Role / Attribute ID

...

The container and container application MUST log the Role or Attribute ID of the Principal identity of the entity accessing the requested service or API.

Note: The group ID is in reference to a Role or Attribute as part of a RBAC or ABAC scheme.

RLH: I recommend we change this field name to Role/Attribute name as there may be potential for confusion since Group ID is overloaded term. 

...

The container and container application MUST use an appropriately configured logging level that can be changed dynamically.

The intention of this field is to not cause performance degradation via excessive logging. The value of this field should be on of the following:

"FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE"

The verbosity of the logging increases from left to right.

How do we synchronize these levels across projects and what the logging API they are using?

...

R-28168

(4)

...

The container and container application MUST log the severity level of a processing event.  

This is to be used for error reporting in internal processing in conjunction with the status code field. 

The value of this field MUST be on of the following:

{"NONE", "MINOR", "MAJOR", "CRITICIAL"} 

Optional: 0, 1, 2, 3 see Nagios monitoring/alerting for specifics/details.

...

Image ID

Image Hash

...

The container MUST log the image ID and layer hash

Upon review I was uncertain on what this recommendation was.  Going to the references to the right there is nothing about an Image ID.  I believe this to be a duplicate of Container Image Hash.  Recommend to remove.

...

The container and container application MUST log RequestID

A requestID is a universally unique value that identifies a single transaction request within the ONAP platform. Its value is conformant to RFC4122 UUID. This value is readily and easily obtained in most programming environments. The requestID value is passed using a REST API from one ONAP component to another.  See (4) for extensive detail on this field. 

v1.3 Spec

(4)

Best Practices and Risk Analysis for an Operator

<TODO>

Best Practices for operators to collect and correlate logs

<TODO>

Tagging

...

Collection

Proposed Collection of Container Logs

[CON-LOG-REQ-13] The container MUST have security logging for the container and container application active from initialization. [Reference: R-84160]

[CON-LOG-REQ-20] The container and container application MUST use the STDOUT for security logs collection [Reference: REQ-374]


Key: X: Indicates what is in-scope for ONAP                 P: Partially in-scope (group consensus is mixed).

Page Tree
expandCollapseAlltrue
rootONAP Security Event Management
searchBoxtrue





References

  1. https://www.enisa.europa.eu/publications/security-in-5g-specifications
  2. https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks
  3. VNF Requirements List: 9. Requirement List — onap master documentation
  4. ONAP application1 logging guidelines – Revision 1.0 (4/11/2017
  5. VNFCloud Readiness Requirements for OpenECOMP
  6. What to Log - Developer Wiki - Confluence (onap.org)
  7. Types of EELF Logs - Developer Wiki - Confluence (onap.org)
  8. Logging Enhancements Project — onap master documentation

Attachments

View file
nameONAP Logs Security Managment1.pptx
height250

ONAP Logs Security Management
rouzaut , FEB-20201

View file
nameLogging_ source reference diagrams.pptx
height250

Logging Source Reference Diagrams
Muddasar Ahmed , JUL-2021

View file
name2021-02-22_LoggingRequirementEvents_v9.pptx
height250

Proposed Container Logging Requirements
Amy Zwaricorouzaut, FEB-2021

View file
nameLogging - ATTACK to SECCOM_v3.pptx
height250

Container Logging Requirements GAP Analysis against ATT&CK
Robert Heinemann , Muddasar Ahmed MAY-2021


Misc. Notes

Terms

This is place where we can standardize our language.

  • Security Data: This is raw data that by itself may not be enough to indicate a security event.
  • Security Event: 
  • Analytic

Data Stewardship

  • What is the data life cycle within ONAP?
  • What happens to the data as it goes to log stash?
  • Will it go to AAI?
  • TODO: Draw out a few scenarios
  • If there is no consumer it may be written to archive.
  • Archival data vs live data

Monitoring

  • Includes Enrichment, Analysis, and Reporting.
  • It is expected that this function out of scope for ONAP.  A CSP / MNO will make used of a SIEM.  ONAP's role is to provide a means to export security event data.  This is where analytics are stored and applied to the data the is ingested from ONAP.
  • Presentation by Fabian pertaining to Analysis: ONAP Logs Security Managment1.pptx 

 Alerting

  • Possibly to include mitigation and actions.   
  • If we expect ONAP to respond to security events in a closed loop manner, then there needs to be a way for events generated by the SIEM to be ingested back into ONAP.

Response

Comments from Chakar, paraphrased, (7/20/2021 SECCOM Meeting)

  • We need to disambiguate "Logging" vs "Data Collection".
  • Logging from ONAP and Logging from xNF are not the same.

There are two types of responses to consider.

  • ONAP responding to a security event in a service.
  • ONAP responding to a security event within ONAP.  ONAP's ability to respond to itself is only possible in some limited and specific situations.  What are these situations?

Terms

This is place where we can standardize our language.

  • Security Data: This is raw data that by itself may not be enough to indicate a security event.
  • Security Event: 
  • Analytic

QUESTIONS (Or Advanced Use Cases)

  1. In terms of security logging, should we handle ONAP components differently than Service Components hosted in ONAP?
    Muddasar: Any transections carried out for a service(5G, virtualization and SDN) should generate Application Logs  by ONAP Containers.  I would think life cycle management of a service (instantiation and changes) may have some information buried in the ONAP logs.  Transections events for service design, service deployment within and outside the ONAP components  thru ONAP APIs should be part of the ONAP logging.  
  2. How do we handle the use case where ONAP is being used to deploy and manage a security infrastructure?
    Muddasar: I think it may be similar to above.  I think ONAP will not be used to do OAM of security infrastructure, with exception that ONAP may play a role in the instantiation of some of security network elements.  Example:  A service design may require deployment of FW/IDS/IPS.  ONAP transection may be limited to requesting VIMs/EMs  to deploy/change network elements and perhaps deploy base configuration.  Logs generated by network elements may flow thru a different path(different virtualized enclaves) to a different collector similar to XNFs.  
  3. What about security events in regards to the closed loop model?  Adversarial AI will be an issue that will need security monitoring in the near future.  Does this mean that orchestration / life cycle data from the DCAE needs to ingested by a SIEM?
    Muddasar:  I believe Data Exposure Service (DES) can provide this facility.  I think question here should be that once logs are created, are there any internal ONAP consumers for that information?  

References

  1. https://www.enisa.europa.eu/publications/security-in-5g-specifications
  2. https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks
  3. VNF Requirements List: 9. Requirement List — onap master documentation
  4. ONAP application1 logging guidelines – Revision 1.0 (4/11/2017
  5. VNFCloud Readiness Requirements for OpenECOMP

Attachments

...

View file
nameONAP Logs Security Managment1.pptx
height250

ONAP Logs Security Management
rouzaut , FEB-20201

...

View file
nameLogging_ source reference diagrams.pptx
height250

Logging Source Reference Diagrams
Muddasar Ahmed , JUL-2021

...

View file
name2021-02-22_LoggingRequirementEvents_v9.pptx
height250

Proposed Container Logging Requirements
Amy Zwaricorouzaut, FEB-2021

View file
nameLogging - ATTACK to SECCOM_v3.pptx
height250

...

Best Practices and Risk Analysis for an Operator

<TODO>

Best Practices for operators to collect and correlate logs

<TODO>

Tagging

Muddasar put your thoughts here :Adding metadata or label tags close to log source or by the log source is a good practice.  Tags can be added by a local driver for Service and Container ID/name (fqdn) as logs received by logging driver.  As ONAP XNF containers will log to stdout/stderr I/O streams, a host or sidecar based collector should be able to add tags for sending source prior to moving the logs to centralized collection location. 

As part of log generation other information elements can be added by the application.  we should consider what needs to be a requirement:  Event_Type (Access, Operation, Error).  Logging enahncement project in the past listed format and options, see Logging Enhancements Project Proposal.



Image Added