summaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
authorMaryam Tahhan <maryam.tahhan@intel.com>2017-11-23 16:19:40 +0000
committerMaryam Tahhan <maryam.tahhan@intel.com>2017-11-23 16:52:31 +0000
commit909b7fd20787b3f56ed83a9a5070499883eb697a (patch)
tree1017d44c65106f807c6a0fea96144680f203090d /docs
parentdac61fc5516b869971fb001769a3d30d5f55c987 (diff)
docs: add security information
Change-Id: I014ee8bb762e1c2d9a94bc780816508133e2adf5 Signed-off-by: Maryam Tahhan <maryam.tahhan@intel.com> Signed-off-by: Emma Foley <emma.l.foley@intel.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/release/userguide/feature.userguide.rst39
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/release/userguide/feature.userguide.rst b/docs/release/userguide/feature.userguide.rst
index 699412d9..cd4051f4 100644
--- a/docs/release/userguide/feature.userguide.rst
+++ b/docs/release/userguide/feature.userguide.rst
@@ -1283,6 +1283,41 @@ To see this demo in action please checkout: `Barometer OPNFV Summit demo`_
For more information on configuring and installing OpenStack plugins for
collectd, check out the `collectd-ceilometer-plugin GSG`_.
+Security
+^^^^^^^^^
+* AAA – on top of collectd there secure agents like SNMP V3, Openstack agents
+ etc. with their own AAA methods.
+
+* Collectd runs as a daemon with root permissions.
+
+* The `Exec plugin`_ allows the execution of external programs but counters the security
+ concerns by:
+
+ * Ensuring that only one instance of the program is executed by collectd at any time
+ * Forcing the plugin to check that custom programs are never executed with superuser
+ privileges.
+
+* Protection of Data in flight:
+
+ * It's recommend to use a minimum version of 4.7 of the Network plugin which provides
+ the possibility to cryptographically sign or encrypt the network traffic.
+ * Write Redis plugin or the Write MongoDB plugin are recommended to store the data.
+ * For more information, please see: https://collectd.org/wiki/index.php?title=Networking_introduction
+
+* Known vulnerabilities include:
+
+ * https://www.cvedetails.com/vulnerability-list/vendor_id-11242/Collectd.html
+
+ * `CVE-2017-7401`_ fixed https://github.com/collectd/collectd/issues/2174 in Version 5.7.2.
+ * `CVE-2016-6254`_ fixed https://mailman.verplant.org/pipermail/collectd/2016-July/006838.html
+ in Version 5.4.3.
+ * `CVE-2010-4336`_ fixed https://mailman.verplant.org/pipermail/collectd/2010-November/004277.html
+ in Version 4.10.2.
+
+ * http://www.cvedetails.com/product/20310/Collectd-Collectd.html?vendor_id=11242
+
+* It's recommended to only use collectd plugins from signed packages.
+
References
^^^^^^^^^^^
.. [1] https://collectd.org/wiki/index.php/Naming_schema
@@ -1298,3 +1333,7 @@ References
.. _aodh plugin: https://github.com/openstack/collectd-ceilometer-plugin/tree/stable/ocata/
.. _collectd-ceilometer-plugin GSG: https://github.com/openstack/collectd-ceilometer-plugin/blob/master/doc/source/GSG.rst
.. _grafana guide: https://wiki.opnfv.org/display/fastpath/Installing+and+configuring+InfluxDB+and+Grafana+to+display+metrics+with+collectd
+.. _CVE-2017-7401: https://www.cvedetails.com/cve/CVE-2017-7401/
+.. _CVE-2016-6254: https://www.cvedetails.com/cve/CVE-2016-6254/
+.. _CVE-2010-4336: https://www.cvedetails.com/cve/CVE-2010-4336/
+.. _Exec plugin: https://collectd.org/wiki/index.php/Plugin:Exec \ No newline at end of file