diff options
| author |   Bozawglanian, Hagop (hb755d) <hagop.bozawglanian@att.com> | 2018-10-30 15:35:14 +0000 |
|---|---|---|
| committer | Bozawglanian, Hagop (hb755d) <hagop.bozawglanian@att.com> | 2018-10-30 15:35:14 +0000 |
| commit | 01659281be2cb12b99938c8d19dedc7a2c09b2f7 (patch) | |
| tree | e9d25c0e9d0e3ec8d8f6360b01c03e38cbf00891 | |
| parent | 4409c3b698d3646adc93c87a7688cdbe6b741d4a (diff) | |
VNFRQTS - New Security Req SECCOM 1
Contains changes for VNFRQTS-326, 327, 328, 329, 330, 331, 367
Issue-ID: VNFRQTS-326
Change-Id: I49fecd50ba766547b54d4d0583629997afb21dc8
Signed-off-by: Bozawglanian, Hagop (hb755d) <hagop.bozawglanian@att.com>
| -rw-r--r-- | docs/Chapter4/Security.rst | 73 | ||||
| -rw-r--r-- | docs/data/needs.json | 204 |
2 files changed, 270 insertions, 7 deletions
diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst index 35745a9..50eb650 100644 --- a/docs/Chapter4/Security.rst +++ b/docs/Chapter4/Security.rst @@ -73,7 +73,7 @@ and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout -the product’s lifecycle. +the product's lifecycle. .. req:: @@ -241,6 +241,61 @@ the product’s lifecycle. Syslog using LOG_AUTHPRIV for any event that would contain sensitive information and LOG_AUTH for all other relevant events. +.. req:: + :id: R-756950 + :target: VNF + :keyword: MUST + :introduced: casablanca + + The VNF **MUST** be operable without the use of Network File System (NFS). + +.. req:: + :id: R-240760 + :target: VNF + :keyword: MUST NOT + :introduced: casablanca + + The VNF **MUST NOT** contain any backdoors. + +.. req:: + :id: R-256267 + :target: VNF + :keyword: MUST + :introduced: casablanca + + If SNMP is utilized, the VNF **MUST** support at least SNMPv3 with + message authentication. + +.. req:: + :id: R-258686 + :target: VNF + :keyword: MUST NOT + :introduced: casablanca + + The VNF application processes **MUST NOT** run as root. + +.. req:: + :id: R-118669 + :target: VNF + :keyword: MUST + :introduced: casablanca + + Login access (e.g., shell access) to the operating system layer, whether + interactive or as part of an automated process, **MUST** be through an + encrypted protocol such as SSH or TLS. + +.. req:: + :id: R-343842 + :target: VNF + :keyword: MUST + :introduced: casablanca + + The VNF **MUST**, after a successful login at command line or a GUI, + display the last valid login date and time and the number of unsuccessful + attempts since then made with that user's ID. This requirement is only + applicable when the user account is defined locally in the VNF. + + VNF Identity and Access Management Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -373,8 +428,8 @@ Identity and Access Management Requirements :keyword: MUST :updated: casablanca - The VNF **MUST**, if not integrated with the Operator’s Identity and - Access Management system, comply with “password complexity” policy. When + The VNF **MUST**, if not integrated with the Operator's Identity and + Access Management system, comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of @@ -417,6 +472,18 @@ Identity and Access Management Requirements protocols such as LDAP, TACACS+, Windows Integrated Authentication (Kerberos), SAML federation, or OAuth 2.0. +.. req:: + :id: R-814377 + :target: VNF + :keyword: MUST + :introduced: casablanca + + The VNF **MUST** have the capability of allowing the Operator to create, + manage, and automatically provision user accounts using an Operator + approved identity lifecycle management tool using a standard protocol, + e.g., NETCONF API. + + VNF API Security Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/data/needs.json b/docs/data/needs.json index 89ae129..6ce53de 100644 --- a/docs/data/needs.json +++ b/docs/data/needs.json @@ -1,5 +1,5 @@ { - "created": "2018-10-29T20:49:30.787488", + "created": "2018-10-30T15:29:46.177330", "current_version": "casablanca", "project": "", "versions": { @@ -21858,7 +21858,7 @@ "needs_amount": 750 }, "casablanca": { - "created": "2018-10-29T20:49:30.787403", + "created": "2018-10-30T15:29:46.177191", "needs": { "R-00011": { "description": "A VNF's Heat Orchestration Template's parameter defined\nin a nested YAML file\n**MUST NOT** have a parameter constraint defined.", @@ -24152,6 +24152,34 @@ "validated_by": "", "validation_mode": "" }, + "R-118669": { + "description": "Login access (e.g., shell access) to the operating system layer, whether\ninteractive or as part of an automated process, **MUST** be through an\nencrypted protocol such as SSH or TLS.", + "full_title": "", + "hide_links": "", + "id": "R-118669", + "impacts": "", + "introduced": "casablanca", + "keyword": "MUST", + "links": [], + "notes": "", + "section_name": "VNF General Security Requirements", + "sections": [ + "VNF General Security Requirements", + "VNF Security" + ], + "status": null, + "tags": [], + "target": "VNF", + "test": "", + "test_case": "", + "test_file": "", + "title": "", + "title_from_content": "", + "type_name": "Requirement", + "updated": "", + "validated_by": "", + "validation_mode": "" + }, "R-120182": { "description": "The xNF provider **MUST** indicate specific conditions that may arise, and\nrecommend actions that may be taken at specific thresholds, or if specific\nconditions repeat within a specified time interval, using the semantics and\nsyntax described by the :doc:`VES Event Registration specification<../../../../vnfsdk/module.git/files/VESEventRegistration_3_0>`.", "full_title": "", @@ -27019,6 +27047,34 @@ "validated_by": "", "validation_mode": "" }, + "R-240760": { + "description": "The VNF **MUST NOT** contain any backdoors.", + "full_title": "", + "hide_links": "", + "id": "R-240760", + "impacts": "", + "introduced": "casablanca", + "keyword": "MUST NOT", + "links": [], + "notes": "", + "section_name": "VNF General Security Requirements", + "sections": [ + "VNF General Security Requirements", + "VNF Security" + ], + "status": null, + "tags": [], + "target": "VNF", + "test": "", + "test_case": "", + "test_file": "", + "title": "", + "title_from_content": "", + "type_name": "Requirement", + "updated": "", + "validated_by": "", + "validation_mode": "" + }, "R-24269": { "description": "The xNF **SHOULD** conform its YANG model to RFC 7407,\n\"A YANG Data Model for SNMP Configuration\", if Netconf used to\nconfigure SNMP engine.", "full_title": "", @@ -27248,6 +27304,34 @@ "validated_by": "", "validation_mode": "" }, + "R-256267": { + "description": "If SNMP is utilized, the VNF **MUST** support at least SNMPv3 with\nmessage authentication.", + "full_title": "", + "hide_links": "", + "id": "R-256267", + "impacts": "", + "introduced": "casablanca", + "keyword": "MUST", + "links": [], + "notes": "", + "section_name": "VNF General Security Requirements", + "sections": [ + "VNF General Security Requirements", + "VNF Security" + ], + "status": null, + "tags": [], + "target": "VNF", + "test": "", + "test_case": "", + "test_file": "", + "title": "", + "title_from_content": "", + "type_name": "Requirement", + "updated": "", + "validated_by": "", + "validation_mode": "" + }, "R-256347": { "description": "The PNF **MUST** support the Ansible protocol for a Service Configuration\nmessage exchange between the PNF and PNF Controller (in ONAP).\n\nNote: this exchange may be either Ansible, Chef, or NetConf depending on\nthe PNF. Note: The PNF Controller may be VF-C, APP-C or SDN-C based on the\nPNF and PNF domain. Note: for R3 (Casablanca) only Ansible is supported.", "full_title": "", @@ -27362,6 +27446,34 @@ "validated_by": "", "validation_mode": "" }, + "R-258686": { + "description": "The VNF application processes **MUST NOT** run as root.", + "full_title": "", + "hide_links": "", + "id": "R-258686", + "impacts": "", + "introduced": "casablanca", + "keyword": "MUST NOT", + "links": [], + "notes": "", + "section_name": "VNF General Security Requirements", + "sections": [ + "VNF General Security Requirements", + "VNF Security" + ], + "status": null, + "tags": [], + "target": "VNF", + "test": "", + "test_case": "", + "test_file": "", + "title": "", + "title_from_content": "", + "type_name": "Requirement", + "updated": "", + "validated_by": "", + "validation_mode": "" + }, "R-25877": { "description": "A VNF's Heat Orchestration Template's parameter name\n(i.e., <param name>) **MUST** contain only alphanumeric\ncharacters and underscores ('_').", "full_title": "", @@ -29422,6 +29534,34 @@ "validated_by": "", "validation_mode": "static" }, + "R-343842": { + "description": "The VNF **MUST**, after a successful login at command line or a GUI,\ndisplay the last valid login date and time and the number of unsuccessful\nattempts since then made with that user's ID. This requirement is only\napplicable when the user account is defined locally in the VNF.", + "full_title": "", + "hide_links": "", + "id": "R-343842", + "impacts": "", + "introduced": "casablanca", + "keyword": "MUST", + "links": [], + "notes": "", + "section_name": "VNF General Security Requirements", + "sections": [ + "VNF General Security Requirements", + "VNF Security" + ], + "status": null, + "tags": [], + "target": "VNF", + "test": "", + "test_case": "", + "test_file": "", + "title": "", + "title_from_content": "", + "type_name": "Requirement", + "updated": "", + "validated_by": "", + "validation_mode": "" + }, "R-34484": { "description": "The VNF **SHOULD** create a single component VNF for VNFCs\nthat can be used by other VNFs.", "full_title": "", @@ -32154,7 +32294,7 @@ "validation_mode": "" }, "R-46908": { - "description": "The VNF **MUST**, if not integrated with the Operator\u2019s Identity and\nAccess Management system, comply with \u201cpassword complexity\u201d policy. When\npasswords are used, they shall be complex and shall at least meet the\nfollowing password construction requirements: (1) be a minimum configurable\nnumber of characters in length, (2) include 3 of the 4 following types of\ncharacters: upper-case alphabetic, lower-case alphabetic, numeric, and\nspecial, (3) not be the same as the UserID with which they are associated\nor other common strings as specified by the environment, (4) not contain\nrepeating or sequential characters or numbers, (5) not to use special\ncharacters that may have command functions, and (6) new passwords must\nnot contain sequences of three or more characters from the previous\npassword.", + "description": "The VNF **MUST**, if not integrated with the Operator's Identity and\nAccess Management system, comply with \"password complexity\" policy. When\npasswords are used, they shall be complex and shall at least meet the\nfollowing password construction requirements: (1) be a minimum configurable\nnumber of characters in length, (2) include 3 of the 4 following types of\ncharacters: upper-case alphabetic, lower-case alphabetic, numeric, and\nspecial, (3) not be the same as the UserID with which they are associated\nor other common strings as specified by the environment, (4) not contain\nrepeating or sequential characters or numbers, (5) not to use special\ncharacters that may have command functions, and (6) new passwords must\nnot contain sequences of three or more characters from the previous\npassword.", "full_title": "", "hide_links": "", "id": "R-46908", @@ -38046,6 +38186,34 @@ "validated_by": "", "validation_mode": "" }, + "R-756950": { + "description": "The VNF **MUST** be operable without the use of Network File System (NFS).", + "full_title": "", + "hide_links": "", + "id": "R-756950", + "impacts": "", + "introduced": "casablanca", + "keyword": "MUST", + "links": [], + "notes": "", + "section_name": "VNF General Security Requirements", + "sections": [ + "VNF General Security Requirements", + "VNF Security" + ], + "status": null, + "tags": [], + "target": "VNF", + "test": "", + "test_case": "", + "test_file": "", + "title": "", + "title_from_content": "", + "type_name": "Requirement", + "updated": "", + "validated_by": "", + "validation_mode": "" + }, "R-75850": { "description": "The VNF **SHOULD** decouple persistent data from the VNFC\nand keep it in its own datastore that can be reached by all instances\nof the VNFC requiring the data.", "full_title": "", @@ -39016,6 +39184,34 @@ "validated_by": "", "validation_mode": "static" }, + "R-814377": { + "description": "The VNF **MUST** have the capability of allowing the Operator to create,\nmanage, and automatically provision user accounts using an Operator\napproved identity lifecycle management tool using a standard protocol,\ne.g., NETCONF API.", + "full_title": "", + "hide_links": "", + "id": "R-814377", + "impacts": "", + "introduced": "casablanca", + "keyword": "MUST", + "links": [], + "notes": "", + "section_name": "VNF Identity and Access Management Requirements", + "sections": [ + "VNF Identity and Access Management Requirements", + "VNF Security" + ], + "status": null, + "tags": [], + "target": "VNF", + "test": "", + "test_case": "", + "test_file": "", + "title": "", + "title_from_content": "", + "type_name": "Requirement", + "updated": "", + "validated_by": "", + "validation_mode": "" + }, "R-81725": { "description": "A VNF's Incremental Module **MUST** have a corresponding Environment File", "full_title": "", @@ -43497,7 +43693,7 @@ "validation_mode": "static" } }, - "needs_amount": 760 + "needs_amount": 767 } } }
\ No newline at end of file |