Purpose of the Activity

• Identify which security documentation already exists and where
• Put everything in one place at least as a reference
• Identify gaps and fill those
• Make everything of general relevance available from RTD

Timeline

Initial output for the Guilin release:

• Central document content version 1
• Project template version 1 used by x projects

Activity Register

Proposed structure of security documentation and development

The proposed structure for the security documentation splits responsibilities and sources.

• SECCOM team to provide principles and guidelines to be followed and a template for the projects to provide the security essentials.
• Each project can provide more specific information as they see fit
• Non-documentation sources of ONAP security relevance are referenced/linked

The aim is to make information accessible as easy as possible. All released information will be available from readthedocs (https://docs.onap.org).

The development of content is done in the wiki as collaboration platform. At release time the content is transferred to the readthedocs by means of the scripts provided by the documentation project.

Existing security documentation (02. April 2020)

• https://docs.onap.org/en/latest/submodules/aaf/authz.git/docs/sections/architecture/security.html
• https://docs.onap.org/en/latest/submodules/dmaap/buscontroller.git/docs/security/security.html
• https://docs.onap.org/en/latest/submodules/osa.git/docs/index.html
• https://docs.onap.org/en/latest/submodules/vnfrqts/requirements.git/docs/Chapter4/Security.html
• https://docs.onap.org/en/latest/submodules/multicloud/framework.git/docs/specs/multicloud-secured-communication.html
• https://docs.onap.org/en/latest/submodules/aai/esr-gui.git/docs/release-notes/security-issues.html
• https://docs.onap.org/en/latest/submodules/vnfrqts/requirements.git/docs/Chapter5/Heat/ONAP%20Heat%20Resource%20ID%20and%20Parameter%20Naming%20Convention/Suggested%20Naming%20Convention%20for%20Common%20Parameters.html#security-group
• https://docs.onap.org/en/latest/submodules/vnfrqts/requirements.git/docs/changes-by-section-frankfurt.html#vnf-security-vnf-general-security-requirements
• https://docs.onap.org/en/latest/submodules/osa.git/docs/process.html#handling-public-leaked-security-issues
• https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/apis/ves.html#security

Meeting Notes and Current State of the Discussion:

• Meeting from 02. April 2020

• Meeting from 19. March 2020

• Meeting from 05. March 2020:
  
  
  
  

Meeting from 19. March 2020

Open Source Project Documentation Examples:

• Eclipse Jetty
  
  • https://www.eclipse.org/jetty/
  • Nice features
    • Security Reports includes a table of all known CVEs affecting Jetty and the release in which the vulnerability was fixed: https://www.eclipse.org/jetty/security-reports.html
    • Documentation contains a section on how to configure security in Jetty: https://www.eclipse.org/jetty/documentation/current/
      • Authetication and Authorization
      • Limiting Form Content
      • Aliased Files and Symbolic Links
      • Secure Password Obfuscation
      • Setting Port 80 Access for a Non-Root User
      • JAAS Support
      • SPNEGO Support
      • Session Management
      • Logging
  • Observation: Jetty is a very mature project and has put a lot of time and effort into their documentation
• Ubuntu
  • Ubuntu Release Notes
    • Lists updated packages
    • Lists security improvements
    • Lists known issues
    • Includes instructions for reporting bugs
  • Known vulnerabilities are reported at on the Ubuntu Security Notices page: https://usn.ubuntu.com/
  • Ubuntu native security features are documented in the Ubuntu guides
    • Example: Ubuntu Server Guide - Chapter 7, Chapter 9 (https://help.ubuntu.com/lts/serverguide/serverguide.pdf)