docs: add security information

Change-Id: I014ee8bb762e1c2d9a94bc780816508133e2adf5
Signed-off-by: Maryam Tahhan <maryam.tahhan@intel.com>
Signed-off-by: Emma Foley <emma.l.foley@intel.com>

diff --git a/docs/release/userguide/feature.userguide.rst b/docs/release/userguide/feature.userguide.rst
index 699412d..cd4051f 100644 (file)
--- a/docs/release/userguide/feature.userguide.rst
+++ b/docs/release/userguide/feature.userguide.rst
@@ -1283,6 +1283,41 @@ To see this demo in action please checkout: `Barometer OPNFV Summit demo`_
 For more information on configuring and installing OpenStack plugins for
 collectd, check out the `collectd-ceilometer-plugin GSG`_.
 
+Security
+^^^^^^^^^
+* AAA – on top of collectd there secure agents like SNMP V3, Openstack agents
+  etc. with their own AAA methods.
+
+* Collectd runs as a daemon with root permissions.
+
+* The `Exec plugin`_ allows the execution of external programs but counters the security
+  concerns by:
+
+  * Ensuring that only one instance of the program is executed by collectd at any time
+  * Forcing the plugin to check that custom programs are never executed with superuser
+  privileges.
+
+* Protection of Data in flight:
+
+  * It's recommend to use a minimum version of 4.7 of the Network plugin which provides
+    the possibility to cryptographically sign or encrypt the network traffic.
+  * Write Redis plugin or the Write MongoDB plugin are recommended to store the data.
+  * For more information, please see: https://collectd.org/wiki/index.php?title=Networking_introduction
+
+* Known vulnerabilities include:
+
+  * https://www.cvedetails.com/vulnerability-list/vendor_id-11242/Collectd.html
+
+    * `CVE-2017-7401`_ fixed https://github.com/collectd/collectd/issues/2174 in Version 5.7.2.
+    * `CVE-2016-6254`_ fixed https://mailman.verplant.org/pipermail/collectd/2016-July/006838.html
+        in Version  5.4.3.
+    * `CVE-2010-4336`_ fixed https://mailman.verplant.org/pipermail/collectd/2010-November/004277.html
+        in Version 4.10.2.
+
+  * http://www.cvedetails.com/product/20310/Collectd-Collectd.html?vendor_id=11242
+
+* It's recommended to only use collectd plugins from signed packages.
+
 References
 ^^^^^^^^^^^
 .. [1] https://collectd.org/wiki/index.php/Naming_schema
@@ -1298,3 +1333,7 @@ References
 .. _aodh plugin: https://github.com/openstack/collectd-ceilometer-plugin/tree/stable/ocata/
 .. _collectd-ceilometer-plugin GSG: https://github.com/openstack/collectd-ceilometer-plugin/blob/master/doc/source/GSG.rst
 .. _grafana guide: https://wiki.opnfv.org/display/fastpath/Installing+and+configuring+InfluxDB+and+Grafana+to+display+metrics+with+collectd
+.. _CVE-2017-7401: https://www.cvedetails.com/cve/CVE-2017-7401/
+.. _CVE-2016-6254: https://www.cvedetails.com/cve/CVE-2016-6254/
+.. _CVE-2010-4336: https://www.cvedetails.com/cve/CVE-2010-4336/
+.. _Exec plugin: https://collectd.org/wiki/index.php/Plugin:Exec
\ No newline at end of file