RM and RA-1: ONAP Security Requirements
This page will serve as a placeholder to get the matrix complete and then the Recommended changes will be made to RM Chapter 07 and RA_1 Chapter 02. On completion of those adds this page will be archived.
ONAP Security Requirements
ONAP Security Ref | Description | Notes | CNTT Relevant | Exists | CNTT Ref# | Current Description, if exists | Recommended Description (may be a modification of existing) | Notes | ||
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | ONAP MUST implement and enforce the principle of least privilege on all protected interfaces. | Y | Y | sec.sys.007 | The Platform must implement controls enforcing separation of duties and privileges, least privilege use and least common mechanism (Role-Based Access Control) | |||||
| 2 | ONAP MUST provide a mechanism (e.g., access control list) to permit and/or restrict access to services on ONAP by source, destination, protocol, and/or port. | Y | Y | multiple | The Platform MUST provide a mechanism (e.g., access control list) to permit and/or restrict access to platform services by source, destination, protocol, and/or port. | Propose adding this explicit | ||||
| 3 | ONAP SHOULD provide a mechanism that enables the operators to perform automated system configuration auditing at configurable time intervals. | Y | N | The Platform SHOULD provide a mechanism that enables the operators to perform automated system configuration auditing at configurable time intervals. | ||||||
| 4 | ONAP SHOULD provide the capability for the Operator to run security vulnerability scans of the operating system and all application layers. | Y | N | The Platform SHOULD provide the capability for the Operator to run security vulnerability scans of the operating system and all application layers. | Proposal to modify "all application layers" by "Platform application layers" in order to exclude the workloads. It can be added in System Hardening | |||||
| 5 | ONAP SHOULD have source code scanned using scanning tools (e.g., Fortify) and provide reports. | N | Image, log files and other scanning included in CNTT Reqts | |||||||
| 6 | ONAP MUST have all code (e.g., QCOW2) and configuration files (e.g., HEAT template, Ansible playbook, script) hardened, or with documented recommended configurations for hardening and interfaces that allow the Operator to harden ONAP. Actions taken to harden a system include disabling all unnecessary services (eg, listening ports), removing unnecessary programs (eg. compilers, testing tools, password crackers, port scanners, sample programs) and changing default values. | Y | Y | sec.gen.004 | The Operating Systems of all the servers part of Cloud Infrastructure must be hardened by... | for relevant components | ||||
| 7 | Traffic of the ONAP internal APIs MUST be possible to be isolated from traffic of the ONAP external APIs | Y | Y | sec.sys.001 to sec.sys.004 | OSTK intrinsic | |||||
| 8 | Network isolation capability between the traffic of different ONAP external APIs MUST be supported. The capability to isolate ONAP NBI traffic from all other external traffic MUST be supported. | Y | Y | sec.sys.004 sec.sys.005 sec.sys.002 | The Cloud Infrastructure must support Secure network channels The Cloud Infrastructure must segregate the underlay and overlay networks The Platform must support Traffic Filtering for workloads (for example, Fire Wall) | |||||
| 9 | All the ONAP network isolation mechanisms MUST be operator configurable. | N | N | |||||||
| 10 | ONAP SHOULD support network segregation on ONAP internal interfaces: both between and inside the Kubernetes cluster(s). This means isolation of the internal APIs with different types of traffic (like: DB traffic, monitoring traffic, ...). | The separation is realized e.g., using network namespaces and K8s network policies. It must be carefully considered if multiple applications can be deployed in one K8s cluster, if the network segregation by namespaces and policies alone is sufficient - or if separation to different machines / VMs is required for increased security. | ||||||||
| 11 | ONAP SHOULD be compatible with HW assisted security technologies like HSM, secure enclaves, TPM / virtual TPM for protection of more critical data (like encryption keys, secrets). | Y | Y Partial | sec.sys.012 | The Platform must only use secrets encrypted using strong encryption techniques, and stored externally from the component |
| ||||
| 12 | ONAP MUST have patches available for vulnerabilities in ONAP aligned with CII badging specifications of criticality & delivery time. | Link to the CII requirement: https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md | Y | Y | sec.lcm.011 sec.lcm.017 | The Platform must implement Security life cycle management processes including proactively update and patch all deployed Cloud Infrastructure software. The Platform must Audit systems for any missing security patches and take appropriate actions | ||||
| 13 | ONAP MUST support encrypted access protocols, following the current best practices in: https://wiki.onap.org/display/DW/Recommended+Protocols | Y | Y | sec.sys.003 sec.lcm.002 | The Platform must support Secure and encrypted communications, and confidentiality and integrity of network traffic Operational (Typo??) (Operations) must use management protocols limiting security risk such as SNMPv3, SSH v2, ICMP, NTP, syslog and TLS v1.2 or higher. | Suggest Add another requirement: The Platform must support encrypted access protocols such as TLS1.2 and newer or better. → Yes,described in 6.3.3.1 When using TLS protocols, the Platform must choose an encryption cipher that supports PFS. In the list of ciphers found in https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet choose only ciphers in the A+, A or B category. All web pages must be served over HTTPS and the HTTP Strict Transport Security (HSTS) policy must be preloaded on the browsers. | ||||
| 14 | ONAP MUST store Authentication Credentials used to authenticate to other systems encrypted except where there is a technical need to store the password unencrypted in which case it must be protected using other security techniques that include, but are not limited to, the use of file and directory permissions. | Y | Y | sec.sys.012 | The Platform must only use secrets encrypted using strong encryption techniques, and stored externally from the component | |||||
| 15 | For all GUI and command-line interfaces, ONAP MUST provide the ability to present a configurable warning notice. A warning notice is a formal statement of resource intent presented to everyone who accesses the system. | N | N | |||||||
| 16 | ONAP MUST allow the Operator to disable or remove any security testing tools or programs included in ONAP, e.g., password cracker, port scanner. | N | N | |||||||
| 17 | ONAP MUST define all the access points. | Y | Y | sec.sys.001 | The Platform must support authenticated and secure APIs, API endpoints The Platform must implement authenticated and secure access to GUI | |||||
| 18 | ONAP MUST enforce authorization on all the access points, and/or give recommendations for the ONAP deployment to enforce in the Kubernetes platform and Rancher. | Y | Y | sec.sys.001 | The Platform must support authenticated and secure APIs, API endpoints | |||||
| 19 | ONAP MUST log any security event required by ONAP Requirements to Syslog and give the user the ability to configure LOG_AUTHPRIV or LOG_AUTH as needed. | can only know if it is a security event after analysis | Y | Y | sec.gen.015 + sec.mon.005, sec.mon.006 sec.mon.08 to sec.mon.12 | Any change to the Platform must be logged as a security event, and the logged event must include the identity of the entity making the change, the change, the date and the time of the change. | multiple | |||
| 20 | ONAP MUST be operable without the use of Network File System (NFS). | N | ||||||||
| 21 | ONAP MUST NOT contain any backdoors. | Y | N | PR#2081 New sec.sys.015: The platform must not contain back door entries (unpublished access points, APIs, etc.) | Notes from RA1 meeting Oct. 19th: Already tested by RC2 Nothing in OpenStack, but can be done CIS benchmark? | |||||
| 22 | If SNMP is utilized, ONAP MUST support the most recent secure version of SNMP with message authentication. | Y | Y | sec.lcm.002 | general requirement to have latest security patches for all components | |||||
| 23 | ONAP application processes MUST NOT run as root. | N | ||||||||
| 24 | Login access (e.g., shell access) to running instance of ONAP components, whether interactive or as part of an automated process, MUST be through an encrypted protocol such as SSH or TLS. | Y | N | sec.lcm.002 partial coverage | PR#2081 New sec.sys.016: Login access to the platform's components must be through encrypted protocols such as SSH v2 or TLS v1.2 or higher Note: hardened jump servers isolated from external networks are recommended. | Notes from RA1 meeting Oct. 19th: Https for OpenStack End Points, self signed certificates not allowed ->RA1 “should” or “must”? Private EP/Public EP Check the latest ONAP version | ||||
| 25 | ONAP MUST, after a successful login at command line or a GUI, display the last valid login date and time and the number of unsuccessful attempts since then made with that user’s ID. This requirement is only applicable when the user account is defined locally in ONAP. | N | OSTK GUI (Horizon) provides this | |||||||
| 26 |