diff options
author | Luke Hinds <lukehinds@gmail.com> | 2016-07-06 10:33:44 +0100 |
---|---|---|
committer | Luke Hinds <lukehinds@gmail.com> | 2016-07-06 11:25:39 +0100 |
commit | 5eabccc1ed6d050cd5ce24944346a1128e49b9f5 (patch) | |
tree | f84154b8e4b3ea8e4167bfa40d9825153e2b9d8b | |
parent | 72306b25f2040f3064e2efb60f0ebb09622ffd42 (diff) |
Adding security_scan section to functest userguide.
JIRA: FUNCTEST-356
Change-Id: Ib7e2fc7eda88425390b37c36cbedc3f89c090f61
Signed-off-by: Luke Hinds <lukehinds@gmail.com>
-rw-r--r-- | docs/userguide/index.rst | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/docs/userguide/index.rst b/docs/userguide/index.rst index ea267976..327a1756 100644 --- a/docs/userguide/index.rst +++ b/docs/userguide/index.rst @@ -388,9 +388,35 @@ the OpenStack 'bgpvpn' API: security_scan ^^^^^^^^^^^^^ -**TODO:** +Security Scanning, is a project to insure security compliance and vulnerability +checks, as part of an automated CI / CD platform delivery process. + +The project makes use of the existing SCAP format[6] to perform deep scanning of +NFVi nodes, to insure they are hardened and free of known CVE reported vulnerabilities. + +The SCAP content itself, is then consumed and run using an upstream opensource tool +known as OpenSCAP[7]. + +The OPNFV Security Group have developed the code that will called by the OPNFV Jenkins +build platform, to perform a complete scan. Resulting reports are then copied to the +OPNFV functest dashboard. + +The current work flow is as follows: + * Jenkins Build Initiated + * security_scan.py script is called, and a config file is passed to the script as + an argument. + * The IP addresses of each NFVi node (compute / control), is gathered. + * A scan profile is matched to the node type. + * The OpenSCAP application is remotely installed onto each target node gathered + on step 3, using upstream packaging (rpm and .deb). + * A scan is made against each node gathered within step 3. + * HTML Reports are downloaded for rendering on a dashboard. + * If the config file value 'clean' is set to 'True' then the application installed in + step 5 is removed, and all reports created at step 6 are deleted. +At present, only the Apex installer is supported, with support for other installers due +within D-release. VNF --- @@ -449,6 +475,8 @@ References .. _`[3]`: https://rally.readthedocs.org/en/latest/index.html .. _`[4]`: http://events.linuxfoundation.org/sites/events/files/slides/Functest%20in%20Depth_0.pdf .. _`[5]`: https://github.com/Orange-OpenSource/opnfv-cloudify-clearwater/blob/master/openstack-blueprint.yaml +.. _`[6]`: https://scap.nist.gov/ +.. _`[7]`: https://github.com/OpenSCAP/openscap .. _`[9]`: https://git.opnfv.org/cgit/functest/tree/testcases/VIM/OpenStack/CI/libraries/os_defaults.yaml .. _`[11]`: http://robotframework.org/ |