-
Task
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
VNFRQTS Sprint 25, VNFRQTS Sprint 26, VNFRQTS Sprint 27, VNFRQTS Sprint 28, VNFRQTS Sprint 29, VNFRQTS Sprint 30, VNFRQTS Sprint 31
Modify the ONAP VNF security requirements for configuration hardening and monitoring functionality so that a compliant VNF can be effectively hardened and monitored by an operator. (R-92207, R-23882, R-31961 and others)
readthedocs link: https://onap.readthedocs.io/en/dublin/submodules/vnfrqts/requirements.git/docs/Chapter4/Security.html
Existing VNF requirements for hardening and auditing:
Number | Jira - Casablanca | Requirement |
R-99771 | NEW: All architectural layers of the VNF MUST be hardened, or have documented recommended configurations for hardening and interfaces that allow the Operator to harden all architectural layers. This includes but is not limited to all code (e.g., QCOW2), configuration files (e.g., HEAT template, Ansible playbook, script), and interfaces (e.g., ports, APIs). Actions taken to harden a system include disabling all unnecessary services, and changing default values such as default credentials and community strings. CURRENT: The VNF MUST have all code (e.g., QCOW2) and configuration files (e.g., HEAT template, Ansible playbook, script) hardened, or with documented recommended configurations for hardening and interfaces that allow the Operator to harden the VNF. Actions taken to harden a system include disabling all unnecessary services, and changing default values such as default credentials and community strings. |
|
R-842258 | NEW: The VNF MUST include a configuration that specifies the set of ports over which the VNF will communicate including internal, external and management communication. CURRENT: The VNF MUST include a configuration, e.g., a heat template or CSAR package, that specifies the targetted parameters, e.g. a limited set of ports, over which the VNF will communicate (including internal, external and management communication). |
|
R-56385 | Section 7.3.1.1 | The VNF or PNF MUST support APPC Audit command. |
R-92207 | NEW: The VNF MAY provide mechanisms other than than APPC Audit that enables the operators to perform automated system configuration auditing at configurable time intervals. CURRENT: The VNF SHOULD provide a mechanism that enables the operators to perform automated system configuration auditing at configurable time intervals. |
|
R-23882 | NEW: The VNF SHOULD provide the capability to run security vulnerability scans of the operating system and application to identify all software components with known vulnerabilities (CVEs). CURRENT: The VNF SHOULD provide the capability for the Operator to run security vulnerability scans of the operating system and all application layers. |
|
R-56904 | NONE | CURRENT: The VNF MUST interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules. |
- relates to
-
VNFRQTS-660 VNF Security Requirement R-92207
- Open
-
VNFRQTS-726 Reword VNF Security Requirement R-99771
- Open
-
VNFRQTS-728 Reword VNF Security Requirement R-92207 and Move to Section 7.3.1.1
- Open
-
VNFRQTS-304 Reword VNF Security Requirement R-92207 and Move to Section 7.3.1.1
- Closed
-
VNFRQTS-305 Reword VNF Requirement R-23882
- Closed
-
VNFRQTS-311 Reword VNF Security Requirement R-99771
- Closed
-
VNFRQTS-661 VNF Security Requirement R-23882
- Closed
-
VNFRQTS-727 Reword VNF Requirement R-23882
- Closed