Re: VNF Security Requirements - El Alto Refresh: Meeting 19/7/25



Just a few remarks:

regarding VNFRQTS-672

------ OLD TEXT 

      The VNF application processes SHOULD NOT run as root. If a VNF application process must run as root, the technical reason must be documented.

------ NEW TEXT

      The VNF application processes SHOULD NOT run as root.

      If a VNF application process needs to run commands with root privilege, the access to resource MUST be controlled so that the process can only be granted on resource that it is expected to manipulate. Access control to resources MUST be enabled e.g. using SELinux.

      If a VNF application process needs root privileges, the commands expected to be run with root privilege MUST be controlled e.g. using Linux Capabilities


      There will be VNFs that require root privileges on the host for functionality such as SRI/OV.

==> indeed the initial requirement does not enable to ensure that running VNF application processes as root is performed in reliable and controlled conditions.
and another point, can this activity regarding unning VNF application processes as root be monitored? is it up to the VNF to handle this monitoring, or to the service? to ONAP?

regarding requirement: R-821839

    The VNF or PNF MUST deliver event records to ONAP using the common transport mechanisms and protocols defined in this specification.

==> it should be specified which information is expected by "event records"? is it sensitive? 


De : onap-seccom@... [onap-seccom@...] de la part de Amy Zwarico [amy.zwarico@...]
Envoyé : vendredi 26 juillet 2019 02:59
À : onap-seccom@...; LOVETT, TREVOR J; THORPE, HENRY E; 'damian.nowak@...'; JAGANNATH, VINNY; Michela Bevilacqua
Objet : [Onap-seccom] VNF Security Requirements - El Alto Refresh: Meeting 19/7/25

The following requirements are ready for approval. Those interested in the requirements refresh, please review and provide your approval by +1. On 19/8/1 these requirements will be promoted to inclusion in the El Alto VNF Requirements.


VNF Requirement

Jira Ticket



R-78010 specifies the protocols







We discussed that we will review the container security requirement in CIS and if they seem adequate for VNFs and ONAP, we will add a requirement that containerized VNFs must meet the CIS container security requirements.


Next week I propose that we begin the meeting with a discussion of whether or not to change the term VNF to xNF. Linda Horn brought this up, and we moved back to the topic of containerized VNFs before we completed the conversation about VNF or xNF.



​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667


"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

Join to automatically receive all group messages.