@@ -1233,6 +1233,7 @@ There are three different types of assessments used in this document.
1. System notification from the logs.
### 6.2.0.7 REQ-TECH-7
**Requirement:** The product shall be designed in a way, that all cryptographic keys can be replaced with user controlled keys.<br/>
**Objective:** Customer need to have full control of the integrity of the data stored in the system.<br/>
**Preparation:** None<br/>
@@ -1252,7 +1253,8 @@ There are three different types of assessments used in this document.
#### 6.2.5.0 REQ-SBOM-0
**Objective:** Operating system dependencies and application dependencies are clearly separated in the provided SBOM.<br/>
**Requirement:** Operating system dependencies and application dependencies shall be clearly separated in the provided SBOM.<br/>
**Objective:** To make clear what part of the system to upgrade, the source of the dependency should be understandable.
**Preparation:** None<br/>
**Activities:**
@@ -1267,10 +1269,11 @@ There are three different types of assessments used in this document.
1. References to to documentation sections.
#### 6.2.5.1 REQ-SBOM-1a and REQ-SBOM-1b
#### 6.2.5.1 REQ-SBOM-1
**Objective a:** Unique, unambiguous, and machine-readable identification of all components and dependencies are provided in the SBOM.<br/>
**Objective b:** The SBOM identifier format is consistent with common vulnerability handling standards.<br/>
**Requirement a:** Unique, unambiguous, and machine-readable identification of all components and dependencies are provided in the SBOM.<br/>
**Requirement b:** The SBOM identifier format is consistent with common vulnerability handling standards.<br/>
**Objective:** A linux kernel version can be 6.18, but what it contains? A refereable and exact pointer is needed.
**Preparation:** None<br/>
**Activities:**
@@ -1288,21 +1291,40 @@ There are three different types of assessments used in this document.
1. References to to documentation sections.
## 6.3 Risk mitigations tests
#### 6.2.5.2 REQ-SBOM-2
### 6.3.5 Logging tests
**Requirement:** The SBOM shall be consistent with [5.3.4 Secure updates] practices.<br/>
**Objective:** The deliverable erodes over time. The SBOM is one of the sources for the motivation to upgrade.
**Preparation:** None<br/>
**Activities:**
1. Study the technical documentation.
2. Study the SBOM.
3. Cross reference to upgrade instructions.
**Verdict:**
1. Pass if instructions are operatively consistent.
2. Fail otherwise.
**Supporting Evidence:**
1. References to to documentation sections.
## 6.3 Risk mitigations tests
### 6.3.6 Metrics tests
#### 6.3.6.0 REQ-MON-0
#### 6.3.6.0 REQ-METRICS-0
**Requirement:**
**Objective:** Collected and stored metrics data can not be altered.<br/>
**Preparation:**
**Activities:** Review the documentation of all components between the target and the collected and stored metrics data looking for any step that may allow alteration of the metrics data after it has left the target.<br/>
**Verdict:** Pass if no process step allows the alteration before ingestion of collected metrics data after it has left the target.<br/>
**Supporting Evidence:** The technical documentation.<br/>
#### 6.3.6.1 REQ-MON-1
#### 6.3.6.1 REQ-METRICS-1
**Objective:** Historical metrics data import overwriting an existing data point is noticed.<br/>
**Preparation:**
@@ -1323,7 +1345,7 @@ There are three different types of assessments used in this document.
1. Collect output showing the whether the current metrics data is being handled by the normal flow as expected.
1. Collect output showing how the modified data set was accepted or discarded.
#### 6.3.6.2 REQ-MON-2
#### 6.3.6.2 REQ-METRICS-2
**Objective:** Metric name, purpose, and value interpretation are described for the user.<br/>
**Preparation:**
@@ -1348,7 +1370,7 @@ There are three different types of assessments used in this document.
1. The technical documentation.
1. Screenshot of the GUI displaying how the data is displayed.
#### 6.3.6.3 REQ-MON-3
#### 6.3.6.3 REQ-METRICS-3
**Objective:** Metrics cadence, accuracy and storage time are described for the user.<br/>
**Preparation:**
@@ -1371,7 +1393,7 @@ There are three different types of assessments used in this document.
1. The technical documentation.
1. Metrics storage plan.
#### 6.3.6.4 REQ-MON-4
#### 6.3.6.4 REQ-METRICS-4
**Objective:** System does not collect metrics that are not used in operative purposes.<br/>
**Preparation:**
@@ -1395,7 +1417,7 @@ There are three different types of assessments used in this document.
1. Metrics conformity assesment.
1. Product position in relation to GDPR.
#### 6.3.6.5 REQ-MON-5
#### 6.3.6.5 REQ-METRICS-5
**Objective:** Relevant system and connected element metrics like CPU, memory, disk utilisation are tracked and reported.<br/>
**Preparation:**
@@ -1417,7 +1439,7 @@ There are three different types of assessments used in this document.
1. The technical documentation.
1. Screenshot of the GUI displaying how the data is displayed.
#### 6.3.6.6 REQ-MON-6
#### 6.3.6.6 REQ-METRICS-6
**Reference:****[REQ-MON-6a]** and **[REQ-MON-6b]**<br/>
@@ -1441,7 +1463,7 @@ There are three different types of assessments used in this document.
**Supporting Evidence:** Log or and metrics output showing detected system or managed element crash or restart with the reported cause.<br/>
#### 6.3.6.7 REQ-MON-7
#### 6.3.6.7 REQ-METRICS-7
**Objective:** Managed elements and system nodes and provided services availabilities and statuses are tracked and reported.<br/>
**Preparation:**
@@ -1464,7 +1486,7 @@ There are three different types of assessments used in this document.
1. The technical documentation.
1. Screenshot of the GUI displaying how the data is displayed.
#### 6.3.6.8 REQ-MON-8
#### 6.3.6.8 REQ-METRICS-8
**Reference:****[REQ-MON-8a]** and **[REQ-MON-8b]**<br/>
**Objective a:** Relevant system database and storage health metrics like queries per second, latency and throughput are tracked and reported.<br/>
@@ -1493,7 +1515,7 @@ There are three different types of assessments used in this document.
1. The technical documentation.
1. Screenshot of the GUI displaying how the data is displayed.
#### 6.3.6.9 REQ-MON-9
#### 6.3.6.9 REQ-METRICS-9
**Objective:** Relevant networking metrics like throughput and protocol errros are tracked and reported.<br/>
**Preparation:**
@@ -1517,7 +1539,7 @@ There are three different types of assessments used in this document.
1. The technical documentation.
1. Screenshot of the GUI displaying how the data is displayed.
#### 6.3.6.10 REQ-MON-10
#### 6.3.6.10 REQ-METRICS-10
**Objective:** GUI and API latencies are tracked and reported.<br/>
**Preparation:**
@@ -1540,7 +1562,7 @@ There are three different types of assessments used in this document.
1. Relevant metrics described in the technical documentation.
#### 6.3.6.11 REQ-MON-11
#### 6.3.6.11 REQ-METRICS-11
**Objective:** GUI and API error rates are tracked and reported.<br/>
**Preparation:**
@@ -1699,15 +1721,15 @@ There are three different types of assessments used in this document.
