2022-05-17 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of May 2022.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution



LFN Developer & Testing Forum

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

started







  • SECCOM topics proposal:

    • SECCOM retrospectives:

      • Log4j fix implementation in Istanbul Maintenance Release

      • Jakarta security status update

    • Kohn security goals:

      • Global Requirements and Best Practices

      • Security PoCs:

      • logging req

      • code quality

      • service mesh

    • SBOM enablement and maintenance, and packaging

    • Waiver policy update

    • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.

    • On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony.

    • Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian?

    • Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.

started

Remaining topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

Fabian to check if could contribute on how qualify software to be deployed, what duediligence was performed. 

Follow-up with Kenny to be done.





OSA documentation update per release 

Thomas asked for a branch to be created for Jakarta

started

Pawel to be done.



Last PTLs meeting – 25th of April

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

  •  

    • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104in progress

  •  

    • fix node ports in Jakarta release

1.SDC-4002 - open

2.SDNC-1703 - open 

3.SO-3941 - open







Last PTLs meeting – 9th of May

Tony presented 5Y project review – CPS volunteered to be PoC and review questionaire.

ongoing

Once Toine completes, we will review the questionnaire. SECCOM to be updated.



Unmaintained Projects

Amy presented to ArchCom and to present to TSC 19 May. 12 May TSC call covered a release milestone.

Good exchanges with Chaker, Byung:

Updated presentation is available below.



Amy to present at 19 May TSC call.

Outline for the yellow to be added.



Update on failing security tests below:

1.SDC-3954 - open

2.SDNC-1692 - done

3.OOM-2957 – open – reassigned to Fiachra

  •  

    • fix root_pods in Jakarta release:

1.OOM-2958 – open - reassigned to Fiachra

2.INT-2104in progress

  •  

    • fix node ports in Jakarta release

1.SDC-4002 - open

2.SDNC-1703 - open 

3.SO-3941 - open



Security tests taht are performed to be reviewed for test coverage and identification of missing items.



SBOM: patch to add the path for VES 

Adoption issue requires manual manipulation of workspace flag.

Next step to get PTL onboard and set target date when LF IT would implement ONAP projects

-5/17: no change in status with LFIT

ongoing





CPS gold badge 

  • IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP – info from Andrew G. „It's possible but non-trivial at present. I'm working on trying to make a case for making this easier to do as I can get 2FA turned on, but then if people need to change things related to it it would require helpdesk intervention with no self-service. Basically, our current setup is user hostile and could be made significantly better.”

  • IT-23829 Hardening LFN hosted ONAP project web sites – done – info from Andrew G. All 3 Nexus systems for ONAP are now reporting grade A. We'll be taking these changes to our other managed Nexus systems as well, so thanks for the poke to improve our security posturę. We are still working on strengthening the wiki and jira scores. They're already getting an A but both of them are showing some items that could be made stronger.”

ongoing





logging PoC report

Ajay (Ericsson) is working on the connection between FluntBit and ElasticSearch. He is leaving Ericsson end of this week, so some of our OOM team members have key learning sessions with him. I told Ajay to check in his code. We plan to report our log PoC progress/demo to SECCOM sometime soon. That is the plan.

Prototype for logging fields.

5/17 Update:

  • OOM: Logs are flowing from ONAP container applications to ElasticSearch. Logs are visible through Kibana reports. File sizes are very large (4Gig in 24hrs); significant trace data in the logs

  • Next steps: investigate the size of log files: metadata dominates data size; FluentBit may be adding information; file size not unreasonable for production system

  • Next Steps: demonstrate to SECCOM, PTL, Architecture, TSC

  • Byung to upload Kibana report to meeting minutes

  • 5/24: Andrew Lamb will present results to SECCOM

ongoing

update and demo will be provided - Byung coordinates that.



CPS PoC

Fabian tried to join Seshu. How to move forward: share results of the PoC during PTLs meeting to build awarness, followed by proposal to community. Closed loop for results is a defintely a value for the developer.

ongoing

Outcomes of CPS PoC to be presented in incoming weeks.



NIST 5G Cybersecurity draft document

https://csrc.nist.gov/publications/detail/sp/1800-33/draft

ongoing





Technical debt

Presentation provided by Muddasar:

El Alto was first release focusing on technical debt and it was a shorter release.

started

We shall have Jira issues for all technical dept issues to track it.

To review last 2 slides ta the next meeting - slides to be shared by Muddasar to SECCOM distribution list - done.

One slide to be prepared and then shared with PTLs and architecture subcommitee.



SECCOM MEETING CALL WILL BE HELD ON 24th OF MAY'22. 



Review of technical debt slides with special focus on 2 last ones.









Recording: 

audio1110136984.m4a

video1110136984.mp4



SECCOM presentation:

2022-05-17 ONAP Security Meeting - AgendaAndMinutes.pptx

Unmaintained repos deck:

22_04_18_ONAPUnmaintainedProjects_v5.pptx