subject:"\[onap\-discuss\] ONAP Casablanca Security Testing"

Re: [onap-discuss] ONAP Casablanca Security Testing

2018-08-08 Thread Michael O'Brien

Anything onap system related YES – login and operation via the 4 error, debug, 
metrics, audit
There is a 5th for operations (engine.out) 
https://wiki.onap.org/pages/viewpage.action?pageId=28378955#ONAPApplicationLoggingSpecificationv1.2(Casablanca)-Engine.out

If by operation or system you mean undercloud (kubernetes/helm deployment, or 
docker logs on the cluster VMs) – not yet.
AT&T has a requirement to log a lot more than just ONAP and is driving a large 
portion of our epics.

We could do more though – like the kubernetes cluster itself, syslog etc…
We do not capture artifact logs – VNF (CLAMP does via their ELK stack – but I 
need to fully verify) in ONAP’s case (same scope as the AI deployed artifacts 
in Acumos) – as in separate from the framework operation logs.

/michael

From: onap-discuss@lists.onap.org  On Behalf Of 
Helen Chen
Sent: Wednesday, August 8, 2018 2:37 PM
To: Michael O'Brien ; Lefevre, Catherine 
; Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-discuss@lists.onap.org
Subject: Re: [onap-discuss] ONAP Casablanca Security Testing

Thanks Michael for all those information, does Logging Framework has the 
following three categories in scope:
login logs, operation logs, and system logs.

?

Regards,

Helen Chen

From: Michael O'Brien mailto:frank.obr...@amdocs.com>>
Date: Wednesday, August 8, 2018 at 11:07 AM
To: Helen Chen 00725961 mailto:helen.c...@huawei.com>>, 
"LEFEVRE, CATHERINE" mailto:cl6...@intl.att.com>>, Stephen 
Terrill mailto:stephen.terr...@ericsson.com>>
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
mailto:onap-sec...@lists.onap.org>>, onap-discuss 
mailto:onap-discuss@lists.onap.org>>
Subject: RE: ONAP Casablanca Security Testing

Sounds good, the Logging team has a preliminary SLF4J library and an AOP 
wrapper around it for markers via a war/docker/helm RI– however it is not 
mature - https://git.onap.org/logging-analytics/tree/reference .
There is a library in Portal that I am looking at as of today’s portal meet.  
There are also several log wrapper apis in SDC and AAI
https://wiki.onap.org/display/DW/Logging+Developer+Guide
https://wiki.onap.org/pages/viewpage.action?pageId=28378955

see some related discussion from today with the Acumos and Portal team - 
https://lists.onap.org/g/onap-discuss/topic/logging_standards/24231150?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,24231150

We have a log checking tool in the queue in our Casablanca scope – however it 
is not started yet
Also we have the 2 step log verification epics in our scope, DevOps 
(ELK+Filebeat infrastructure verifying) and ensuring the logs are in spec 
format – all in the works as we have limited resources – but are working with 
the teams and in a lot of cases the teams are taking care of themselves.

What ever we do we should include the acumos logging team who shadow part of 
our ONAP spec (most of the team is in ONAP as well)
Thank you
/michael



From: Yunxia Chen mailto:helen.c...@huawei.com>>
Sent: Wednesday, August 8, 2018 1:41 PM
To: Lefevre, Catherine mailto:cl6...@intl.att.com>>; 
Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>; Michael 
O'Brien mailto:frank.obr...@amdocs.com>>
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>
Subject: Re: ONAP Casablanca Security Testing

Hi, Catherine,
For Log Audit, using the existing Logging Framework would be great. If Logging 
Framework could provide the API and then project could use that API would be 
ideal in my humble opinion. (Added Michael in this email), Micheal, any input 
or you already have it.

For Integrity Protection, as a rule, we need to make sure that none our program 
(executable binary files) and other files, such as configuration or library, 
accessible or modifiable without any authentication or authorization validation.

Regards,

Helen Chen

From: "LEFEVRE, CATHERINE" mailto:cl6...@intl.att.com>>
Date: Tuesday, August 7, 2018 at 6:28 AM
To: Helen Chen 00725961 mailto:helen.c...@huawei.com>>, 
Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
mailto:onap-sec...@lists.onap.org>>
Subject: RE: ONAP Casablanca Security Testing

Good morning/afternoon Helen and Stephen,

I had a look at the deck, in particular slide 3.

I have some questions:

  *   Log Audit – Casablanca release is based on Logging Framework v1.2 – do we 
need to ask the Logging Framework team to ensure all the logs are part of their 
specifications? Do they need to develop a dedicated audit tool as well?
  *   Integrity Protection - Would it possible to provide clarifications about 
what we mean by key files and programs so we can align our understanding?

Many thanks and regards
Catherine

From: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org> 
[ma

Re: [onap-discuss] ONAP Casablanca Security Testing

2018-08-08 Thread Helen Chen

Thanks Michael for all those information, does Logging Framework has the 
following three categories in scope:
login logs, operation logs, and system logs.

?

Regards,

Helen Chen

From: Michael O'Brien 
Date: Wednesday, August 8, 2018 at 11:07 AM
To: Helen Chen 00725961 , "LEFEVRE, CATHERINE" 
, Stephen Terrill 
Cc: "onap-sec...@lists.onap.org" , onap-discuss 

Subject: RE: ONAP Casablanca Security Testing

Sounds good, the Logging team has a preliminary SLF4J library and an AOP 
wrapper around it for markers via a war/docker/helm RI– however it is not 
mature - https://git.onap.org/logging-analytics/tree/reference .
There is a library in Portal that I am looking at as of today’s portal meet.  
There are also several log wrapper apis in SDC and AAI
https://wiki.onap.org/display/DW/Logging+Developer+Guide
https://wiki.onap.org/pages/viewpage.action?pageId=28378955

see some related discussion from today with the Acumos and Portal team - 
https://lists.onap.org/g/onap-discuss/topic/logging_standards/24231150?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,24231150

We have a log checking tool in the queue in our Casablanca scope – however it 
is not started yet
Also we have the 2 step log verification epics in our scope, DevOps 
(ELK+Filebeat infrastructure verifying) and ensuring the logs are in spec 
format – all in the works as we have limited resources – but are working with 
the teams and in a lot of cases the teams are taking care of themselves.

What ever we do we should include the acumos logging team who shadow part of 
our ONAP spec (most of the team is in ONAP as well)
Thank you
/michael



From: Yunxia Chen 
Sent: Wednesday, August 8, 2018 1:41 PM
To: Lefevre, Catherine ; Stephen Terrill 
; Michael O'Brien 
Cc: onap-sec...@lists.onap.org
Subject: Re: ONAP Casablanca Security Testing

Hi, Catherine,
For Log Audit, using the existing Logging Framework would be great. If Logging 
Framework could provide the API and then project could use that API would be 
ideal in my humble opinion. (Added Michael in this email), Micheal, any input 
or you already have it.

For Integrity Protection, as a rule, we need to make sure that none our program 
(executable binary files) and other files, such as configuration or library, 
accessible or modifiable without any authentication or authorization validation.

Regards,

Helen Chen

From: "LEFEVRE, CATHERINE" mailto:cl6...@intl.att.com>>
Date: Tuesday, August 7, 2018 at 6:28 AM
To: Helen Chen 00725961 mailto:helen.c...@huawei.com>>, 
Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: "onap-sec...@lists.onap.org" 
mailto:onap-sec...@lists.onap.org>>
Subject: RE: ONAP Casablanca Security Testing

Good morning/afternoon Helen and Stephen,

I had a look at the deck, in particular slide 3.

I have some questions:

  *   Log Audit – Casablanca release is based on Logging Framework v1.2 – do we 
need to ask the Logging Framework team to ensure all the logs are part of their 
specifications? Do they need to develop a dedicated audit tool as well?
  *   Integrity Protection - Would it possible to provide clarifications about 
what we mean by key files and programs so we can align our understanding?

Many thanks and regards
Catherine

From: onap-sec...@lists.onap.org 
[mailto:onap-sec...@lists.onap.org] On Behalf Of Yunxia Chen
Sent: Friday, August 03, 2018 9:12 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: onap-sec...@lists.onap.org
Subject: [Onap-seccom] ONAP Casablanca Security Testing

Hi, Stephen and other ONAP security pro,

The automatically testing tools have covered quite some security related 
testing with NEXUS IQ. I am curious how you handle other security related 
testing and where I could find the results, as in the attached file:

  1.  At p2, is there anyone to verify “all communication shall be able to be 
encrypted and have common role-based access control and authorization”? Or is 
this trust-based?
  2.  Do we have requirement for items at P3? Those are very serious security 
holes, for example XSS injection risk.

Regards,
Helen Chen

This message and the information contained herein is proprietary and 
confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11764): https://lists.onap.org/g/onap-discuss/message/11764
Mute This Topic: https://lists.onap.org/mt/24232353/21656
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [onap-discuss] ONAP Casablanca Security Testing

2018-08-08 Thread Michael O'Brien

Sounds good, the Logging team has a preliminary SLF4J library and an AOP 
wrapper around it for markers via a war/docker/helm RI– however it is not 
mature - https://git.onap.org/logging-analytics/tree/reference .
There is a library in Portal that I am looking at as of today’s portal meet.  
There are also several log wrapper apis in SDC and AAI
https://wiki.onap.org/display/DW/Logging+Developer+Guide
https://wiki.onap.org/pages/viewpage.action?pageId=28378955

see some related discussion from today with the Acumos and Portal team - 
https://lists.onap.org/g/onap-discuss/topic/logging_standards/24231150?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,24231150

We have a log checking tool in the queue in our Casablanca scope – however it 
is not started yet
Also we have the 2 step log verification epics in our scope, DevOps 
(ELK+Filebeat infrastructure verifying) and ensuring the logs are in spec 
format – all in the works as we have limited resources – but are working with 
the teams and in a lot of cases the teams are taking care of themselves.

What ever we do we should include the acumos logging team who shadow part of 
our ONAP spec (most of the team is in ONAP as well)
Thank you
/michael



From: Yunxia Chen 
Sent: Wednesday, August 8, 2018 1:41 PM
To: Lefevre, Catherine ; Stephen Terrill 
; Michael O'Brien 
Cc: onap-sec...@lists.onap.org
Subject: Re: ONAP Casablanca Security Testing

Hi, Catherine,
For Log Audit, using the existing Logging Framework would be great. If Logging 
Framework could provide the API and then project could use that API would be 
ideal in my humble opinion. (Added Michael in this email), Micheal, any input 
or you already have it.

For Integrity Protection, as a rule, we need to make sure that none our program 
(executable binary files) and other files, such as configuration or library, 
accessible or modifiable without any authentication or authorization validation.

Regards,

Helen Chen

From: "LEFEVRE, CATHERINE" mailto:cl6...@intl.att.com>>
Date: Tuesday, August 7, 2018 at 6:28 AM
To: Helen Chen 00725961 mailto:helen.c...@huawei.com>>, 
Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: "onap-sec...@lists.onap.org" 
mailto:onap-sec...@lists.onap.org>>
Subject: RE: ONAP Casablanca Security Testing

Good morning/afternoon Helen and Stephen,

I had a look at the deck, in particular slide 3.

I have some questions:

  *   Log Audit – Casablanca release is based on Logging Framework v1.2 – do we 
need to ask the Logging Framework team to ensure all the logs are part of their 
specifications? Do they need to develop a dedicated audit tool as well?
  *   Integrity Protection - Would it possible to provide clarifications about 
what we mean by key files and programs so we can align our understanding?

Many thanks and regards
Catherine

From: onap-sec...@lists.onap.org 
[mailto:onap-sec...@lists.onap.org] On Behalf Of Yunxia Chen
Sent: Friday, August 03, 2018 9:12 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: onap-sec...@lists.onap.org
Subject: [Onap-seccom] ONAP Casablanca Security Testing

Hi, Stephen and other ONAP security pro,

The automatically testing tools have covered quite some security related 
testing with NEXUS IQ. I am curious how you handle other security related 
testing and where I could find the results, as in the attached file:

  1.  At p2, is there anyone to verify “all communication shall be able to be 
encrypted and have common role-based access control and authorization”? Or is 
this trust-based?
  2.  Do we have requirement for items at P3? Those are very serious security 
holes, for example XSS injection risk.

Regards,
Helen Chen

This message and the information contained herein is proprietary and 
confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11763): https://lists.onap.org/g/onap-discuss/message/11763
Mute This Topic: https://lists.onap.org/mt/24232353/21656
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [onap-discuss] ONAP Casablanca Security Testing

Re: [onap-discuss] ONAP Casablanca Security Testing

Re: [onap-discuss] ONAP Casablanca Security Testing

3 matches

Site Navigation

Mail list logo

Footer information