Sounds good, the Logging team has a preliminary SLF4J library and an AOP wrapper around it for markers via a war/docker/helm RI– however it is not mature - https://git.onap.org/logging-analytics/tree/reference . There is a library in Portal that I am looking at as of today’s portal meet. There are also several log wrapper apis in SDC and AAI https://wiki.onap.org/display/DW/Logging+Developer+Guide https://wiki.onap.org/pages/viewpage.action?pageId=28378955
see some related discussion from today with the Acumos and Portal team - https://lists.onap.org/g/onap-discuss/topic/logging_standards/24231150?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,24231150 We have a log checking tool in the queue in our Casablanca scope – however it is not started yet Also we have the 2 step log verification epics in our scope, DevOps (ELK+Filebeat infrastructure verifying) and ensuring the logs are in spec format – all in the works as we have limited resources – but are working with the teams and in a lot of cases the teams are taking care of themselves. What ever we do we should include the acumos logging team who shadow part of our ONAP spec (most of the team is in ONAP as well) Thank you /michael From: Yunxia Chen <helen.c...@huawei.com> Sent: Wednesday, August 8, 2018 1:41 PM To: Lefevre, Catherine <cl6...@intl.att.com>; Stephen Terrill <stephen.terr...@ericsson.com>; Michael O'Brien <frank.obr...@amdocs.com> Cc: onap-sec...@lists.onap.org Subject: Re: ONAP Casablanca Security Testing Hi, Catherine, For Log Audit, using the existing Logging Framework would be great. If Logging Framework could provide the API and then project could use that API would be ideal in my humble opinion. (Added Michael in this email), Micheal, any input or you already have it. For Integrity Protection, as a rule, we need to make sure that none our program (executable binary files) and other files, such as configuration or library, accessible or modifiable without any authentication or authorization validation. Regards, Helen Chen From: "LEFEVRE, CATHERINE" <cl6...@intl.att.com<mailto:cl6...@intl.att.com>> Date: Tuesday, August 7, 2018 at 6:28 AM To: Helen Chen 00725961 <helen.c...@huawei.com<mailto:helen.c...@huawei.com>>, Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>> Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" <onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>> Subject: RE: ONAP Casablanca Security Testing Good morning/afternoon Helen and Stephen, I had a look at the deck, in particular slide 3. I have some questions: * Log Audit – Casablanca release is based on Logging Framework v1.2 – do we need to ask the Logging Framework team to ensure all the logs are part of their specifications? Do they need to develop a dedicated audit tool as well? * Integrity Protection - Would it possible to provide clarifications about what we mean by key files and programs so we can align our understanding? Many thanks and regards Catherine From: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org> [mailto:onap-sec...@lists.onap.org] On Behalf Of Yunxia Chen Sent: Friday, August 03, 2018 9:12 PM To: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>> Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org> Subject: [Onap-seccom] ONAP Casablanca Security Testing Hi, Stephen and other ONAP security pro, The automatically testing tools have covered quite some security related testing with NEXUS IQ. I am curious how you handle other security related testing and where I could find the results, as in the attached file: 1. At p2, is there anyone to verify “all communication shall be able to be encrypted and have common role-based access control and authorization”? Or is this trust-based? 2. Do we have requirement for items at P3? Those are very serious security holes, for example XSS injection risk. Regards, Helen Chen This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11763): https://lists.onap.org/g/onap-discuss/message/11763 Mute This Topic: https://lists.onap.org/mt/24232353/21656 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
