2023-01-10 Security Subcommittee Meeting Notes

Weekly scans re-enabled with Michal’s support:

https://logs.onap.org/onap-integration/weekly/onap-weekly-dt-oom-kohn/2022-11/28_09-30/

-Fiachra responded with srimzi-zk-entrance:

• This container is required by dmaap message router to connect directly to the strimzi zk for storing some metadata.

• Strimzi locks it's zk cluster by default and this was advised as a "hack/temporary" solution for MR.

• https://github.com/scholzj/zoo-entrance

• I do see that the base image was updated recently though so not sure where the old java version is coming from.

• AP: to identify where it is getting picked up from

ongoing

E-mail with feedback was shared with Fiachra

Security issues raised by External researchers

-IT-24999 Security Issue - Sensitive information leakage

-IT-25000 vulnerability detected (DMARC RECORD MISSING)

ongoing

Details to be reviewed by Pawel and Amy on January 13th. 

Unmaintained projects 

Repos without merge (for last 1 year) identified, at the next PTL meeting Jan 23rd list to be reviewed. Merges by Thomas and Cedric to be excluded.

ongoing

TSC meeting (5th January)

• Synch on January 11th with OSC (Martin Skorupski)

• New idea of special squad team to deal with projects without PTLs

• Updated London release schedule

PTL meeting (9th January)

Check with Fiachra on srimzi container

Logging security discussion (recording reference: starting from 17:15)

Justin Garrard (jagarra@uwe.nsa.gov) presented onap-log-inject.pptx and demo.

ONAP logging requirements:  ONAP Next Generation Security & Logging Architecture.

OOM wanted to have logging at the node level.

Moving Collection Agent to PoD level from Node level avoids security issue. 

started

Further exchanges to be done on that topic, pushing Fluentbit to the pod makes sense from security perspective.

SECCOM MEETING CALL WILL BE HELD ON January 17th 2023.