diff options
Diffstat (limited to 'docs/Chapter4')
-rw-r--r-- | docs/Chapter4/Security.rst | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst index fb318dd..522b195 100644 --- a/docs/Chapter4/Security.rst +++ b/docs/Chapter4/Security.rst @@ -106,11 +106,10 @@ the product’s lifecycle. :id: R-23882 :target: VNF :keyword: SHOULD + :updated: casablanca - The VNF **SHOULD** be scanned using both network scanning - and application scanning security tools on all code, including underlying - OS and related configuration. Scan reports shall be provided. Remediation - roadmaps shall be made available for any findings. + The VNF **SHOULD** provide the capability for the Operator to run security + vulnerability scans of the operating system and all application layers. .. req:: :id: R-46986 @@ -124,13 +123,14 @@ the product’s lifecycle. :id: R-99771 :target: VNF :keyword: MUST + :updated: casablanca - The VNF **MUST** provide all code/configuration files in a - "Locked down" or hardened state or with documented recommendations for - such hardening. All unnecessary services will be disabled. VNF provider - default credentials, community strings and other such artifacts will be - removed or disclosed so that they can be modified or removed during - provisioning. + The VNF **MUST** have all code (e.g., QCOW2) and configuration files + (e.g., HEAT template, Ansible playbook, script) hardened, or with + documented recommended configurations for hardening and interfaces that + allow the Operator to harden the VNF. Actions taken to harden a system + include disabling all unnecessary services, and changing default values + such as default credentials and community strings. .. req:: :id: R-19768 @@ -383,10 +383,11 @@ Identity and Access Management Requirements :id: R-71787 :target: VNF :keyword: MUST + :updated: casablanca - The VNF **MUST** comply with Segregation of Duties (access to a - single layer and no developer may access production without special - oversight) when persons or non-person entities access VNFs. + Each layer of the VNF **MUST** support access restriction + independently of all other layers so that Segregation of Duties + can be implemented. .. req:: :id: R-86261 @@ -591,11 +592,11 @@ Identity and Access Management Requirements .. req:: :id: R-15671 :target: VNF - :keyword: MUST NOT + :keyword: MUST + :updated: casablanca - The VNF **MUST NOT** provide public or unrestricted access - to any data without the permission of the data owner. All data - classification and access controls must be followed. + The VNF **MUST** provide access controls that allow the Operator + to restrict access to VNF functions and data to authorized entities. .. req:: :id: R-89753 @@ -1321,9 +1322,10 @@ Data Protection Requirements :id: R-95864 :target: VNF :keyword: MUST + :updated: casablanca - The VNF **MUST** use commercial tools that comply with X.509 - standards and produce x.509 compliant keys for public/private key generation. + The VNF **MUST** support digital certificates that comply with X.509 + standards. .. req:: :id: R-12110 |