#ansible-lockdown log

16:06:11 <shepdelacreme> #startmeeting lockdown
16:06:11 <zodbot> Meeting started Thu Nov 29 16:06:11 2018 UTC.
16:06:11 <zodbot> This meeting is logged and archived in a public location.
16:06:11 <zodbot> The chair is shepdelacreme. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:06:11 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:06:11 <zodbot> The meeting name has been set to 'lockdown'
16:09:25 <shepdelacreme> Ok so it looks like we don't have many new agenda items to discuss
16:10:00 <shepdelacreme> The two items are status on sphinx books research for the docs effort and then open topic for merger-specific things
16:11:03 <shepdelacreme> #topic open topics
16:11:18 <shepdelacreme> Does anyone have anything they'd like to bring up?
16:12:24 <cyberpear_> My action item from last time is not complete. That was to create a patch to run dis Avenged mark on Cent OS. I might have time to do that today.
16:12:52 <shepdelacreme> ok
16:12:53 <cyberpear_> Any progress on creating template repos for the rest of the disa sticks?
16:13:01 <cyberpear_> Stigs
16:13:13 <bcoca> i prefer sticks, sounds more secure
16:13:25 <shepdelacreme> I'll need to check with defionscode on that but I don't think he has had much time to do that
16:14:03 <shepdelacreme> I'm still working on the docs stuff we covered last time and haven't had much time for it. End of year is a terrible time at work for me lol
16:16:31 <shepdelacreme> There have been a few issues/PRs due to confusion around the best way to use the hardening roles
16:16:44 <cyberpear_> I can allocate a little bit of time today for the 6 disa role if there's anything specific that needs done on it.
16:16:54 <shepdelacreme> I think the docs will help with that but I also think a more in depth set of examples would help as well
16:17:18 <shepdelacreme> i.e. https://github.com/MindPointGroup/RHEL7-STIG/pull/194
16:18:04 <cyberpear_> Yes, perhaps adding example Playbook to both Steak Rolls that shows using both
16:18:07 <shepdelacreme> What do you all think about having some examples in the top level ansible-lockdown repo?
16:18:21 <cyberpear_> That might also be good
16:18:29 <shepdelacreme> yum Steak Rolls :p
16:18:49 <cyberpear_> Voice recognition is not so great today
16:18:54 <shepdelacreme> I think it makes sense for the examples to be in the AL repo
16:19:20 <shepdelacreme> Especially considering the issues with handlers and running multiple roles together
16:19:49 <shepdelacreme> #idea add detailed examples to the top level ansible-lockdown repo
16:20:16 <cyberpear_> Yes, best practice is to have each lockdown roll and its own play
16:20:58 <shepdelacreme> Second thing I have is discussing the best way to handle the conflicting handlers issue
16:21:15 <shepdelacreme> Couple ways to deal with it:
16:21:30 <shepdelacreme> #idea namespace handlers so they don't conflict between roles
16:22:02 <cyberpear_> Nit
16:22:03 <shepdelacreme> #idea recommend best practice to have 1 role to 1 play
16:22:14 <treyp> on the topic of "each lockdown role;" would it make sense to keep families together like rhel7 and centos7 and just sub vars or a few when statements if necessary?
16:22:21 <cyberpear_> notify: RHEL6 reboot
16:22:23 <cyberpear_> ?
16:23:01 <shepdelacreme> #idea have a separate role with all the handlers and then include that role
16:23:19 <cyberpear_> That might work
16:23:26 <shepdelacreme> cyberpear_ yeah something like that
16:23:44 <cyberpear_> Actually, it won't. Same issue as before
16:24:01 <cyberpear_> I'd assumed that include role would have worked as well, but it
16:24:02 <shepdelacreme> treyp yes RHEL and CentOS are the same role (the vars/tasks are jsut adjusted a bit)
16:24:05 <cyberpear_> Didn't
16:24:54 <shepdelacreme> well the separate role with all the handlers would need to have handlers that do OS checks before running...I dislike that idea the most since it will get out of hand quickly
16:25:45 <shepdelacreme> I think the best other two are best...if we namespace the handlers it eases user friction the most in my mind but its still not a great solution
16:27:43 <shepdelacreme> I actually wish Ansible handle variable and handler scoping differently for roles but that is neither here nor there
16:29:05 <shepdelacreme> So do we namespace handlers OR leave them as is and just document a detailed example of how to get multiple roles to work properly together?
16:29:55 <cyberpear_> Feature request for ansible private Handler namespace
16:30:23 <cyberpear_> But for now document using separate plays
16:30:55 <shepdelacreme> ok
16:31:30 <shepdelacreme> #agreed document using separate plays to avoid handler collisions and investigate namespacing handlers down the line
16:32:00 * Sicnus waves :)   (sorry to interrupt just happy to see convo here)
16:32:42 <shepdelacreme> Hello sicnus
16:33:46 <shepdelacreme> Yes we have a working group meeting every other Thursday at this time. You can see the agenda/etc and get a iCal link and what not here: https://github.com/ansible/community/tree/master/group-lockdown
16:34:32 <shepdelacreme> cyberpear_ you mentioned having some time today for RHEL6 role work?
16:34:38 <cyberpear> yes, a bit
16:34:59 <shepdelacreme> Def needs some love
16:35:37 <cyberpear> I can also knock out getting the patch for running DISA benchmark on CentOS.
16:35:48 <shepdelacreme> I started to document some items that we need to hit to bring it in line with the RHEL7 role here: https://github.com/MindPointGroup/RHEL6-STIG/issues/154 and https://github.com/MindPointGroup/RHEL6-STIG/issues/153 but there is also the V1R20 updates https://github.com/MindPointGroup/RHEL6-STIG/issues/151
16:36:24 <shepdelacreme> ok great
16:37:07 <cyberpear> yes, I can get the V1R20 for sure, plus the tests as filters
16:37:40 <Sicnus> #halp  I can't speak to any specifics right now (and this might not be the appropriate time to mention this...) but I've been having a heck of a time trying to get remediation to work properly.  I'm willing to test things on test server if anyone needs a tester.  I can provide more details if this is the appropriate time)  Thanks btw for all you guys are doing!
16:37:42 <cyberpear> the include warning, I think is spurrious, but I'll check quickly if I can.  'include' is not deprecated (yet)
16:37:45 <shepdelacreme> #action cyberpear to address RHEL6 V1R20 updates and tests as filters
16:38:32 <shepdelacreme> yeah I went ahead and documented all the deprecation warnings even though some don't happen until Ansible 2.12
16:40:25 <cyberpear> invoking yum w/ loop is not deprecated either; that's telling you that "hey, there may be a more optimal way to do this!"
16:40:47 <shepdelacreme> yeah but according to the message it will be deprecated as of 2.11
16:40:55 <shepdelacreme> so eventually it does need to be changed
16:41:20 <cyberpear> ansible currently does an optimization, but what you have will continue to work, just it will invoke yum for each item, whereas now it invokes yum once for all items
16:41:34 <shepdelacreme> ah ok
16:41:57 <shepdelacreme> well then that is low priority to update but we will want to be "optimized
16:43:17 <cyberpear> for RHEL6, would also be good to have a var for each item so you can en/disable items w/ host_vars
16:43:22 <shepdelacreme> sicnus we are always looking for help so yes we would appreciate help testing/etc
16:43:24 <cyberpear> added as a comment to the tags issue
16:43:41 <cyberpear> I won't have time to do that today, though
16:43:52 <shepdelacreme> what remediation issues are you encountering?
16:44:23 <shepdelacreme> ok thanks cyberpear...none of those issues were super urgent I just wanted to make sure to document them in GH
16:44:25 <defionscode> Sicnus if you have specific implementation issues for a specific role the best place would be as a github issue since it's better for diagnosing, code snippets, etc
16:44:53 * defionscode waves, had to take the kiddo to the doc
16:45:21 <shepdelacreme> Yes...I suppose that is a better avenue. Also if its just a matter of needing better docs for the roles...we are actively working on that!
16:45:28 <defionscode> and shepdelacreme is correct i havent had time to do the templates for the other stig items, cyberpear is that blocking you on anything? if so, I can make sure it gets done this week
16:46:01 <Sicnus> :/  So perhaps firstly I should explain my setup and process if that's ok...   I had a RHEL6 VM (ESX Host) that I stigged via a set of scripts:  RHEL6_STIG_Scripts_v1r9.iso  I partitioned out all the drives as I was supposed to etc..  This (Stig) box got mid 90's on DISA IASE score... for RHEL6.
16:46:40 <defionscode> Sicnus by 'set of scripts' do you mean ansible lockdown content or your own/something else?
16:47:10 <Sicnus> Then I took that same stig or "Gold disk" and cloned it and upgrade it to RHEL7.    I could have sworn those scans were getting in the high 80's but... apparently not.  I have deployed 4 RHEL7 servers since....  and they really need hardening...
16:47:30 <Sicnus> @defionscode   I used this set of scripts:  RHEL6_STIG_Scripts_v1r9.iso
16:47:52 <defionscode> i dont know what that is?
16:47:57 <Sicnus> found on the old DISA script site somewhere...  it was some site heh.  I think it's closed or you can't even find it anymore.
16:48:20 <shepdelacreme> I those are the old DISA "gold disk" like remediation scripts?
16:48:22 <Sicnus> It was just a series of bash scripts to force remediation.
16:48:32 <Sicnus> yessir.
16:48:43 <shepdelacreme> yeah DISA discontinued making those
16:48:46 <Sicnus> I've been researching and finally found you guys' stuff.
16:48:46 <treyp> wouldnt oscap be a little better for the scans?
16:48:51 <defionscode> yeah that has nothing to do with us, not sure how we can help other then saying maybe try our ansible content?
16:49:00 <Sicnus> oh I know...
16:49:13 <Sicnus> I was trying to provide a historical picture of where I have been  @defionscode
16:49:29 <Sicnus> Sorry
16:49:40 <defionscode> ah ah ok my mistake
16:49:52 <cyberpear> Sicnus, our ansible roles are what you want to use.  For auditing the system, you can use the DISA-provided benchmark file, and if you're  really ambitious, you could also use ComplianceAsCode (scap-security-guide) content to help cover some gaps in the auditing.
16:50:13 <Sicnus> At any rate, I've tried a few times with your playbook and I must admit it's a bit out of my ansible league as far as skillsets...
16:50:53 <cyberpear> #idea have ansible-lockdown office hours to help folks use our role and find pain points
16:51:06 <Sicnus> #agree
16:51:09 <Sicnus> :)
16:51:37 <Sicnus> s/ree/reed/  :/
16:51:37 <shepdelacreme> Not a bad idea. Also you can reach out via GH with specific issues.
16:52:10 <defionscode> Sicnus just FYI the '#' is a function of zodbot, see here: https://fedoraproject.org/wiki/Zodbot#Meeting_Functions
16:52:14 <shepdelacreme> That allows more async communication since we aren't always available via this channel at the same time
16:52:29 <Sicnus> yeah, but I don't want to take up all of you guys time today... I need to re-run things, and provide a clear picutre of what I've done and what the problem is.  Something I'm not sure I can do ATM other than saying "It's not working"  or... not working as much as I need it to.
16:53:18 <Sicnus> @defionscode don't mess with the bot... ok.  ;)  Got it.   Sorry I was thinking it was something else.
16:53:34 <defionscode> haha you are welcomed to
16:53:34 <Sicnus> (You'd think I hadn't been using IRC since 95 or something)
16:53:38 <defionscode> it's not just for ops
16:54:26 <defionscode> prepend a message with "#idea" if you have an idea or "#link" if there is a url you want to share "#action" if you want to assign yourself an action item, etc
16:54:31 <defionscode> it's for anyone to leverage
16:54:37 <Sicnus> Anyway, look I appreicate the help you guys are offering but let me get some more concrete stuff together... at best I'll present it when I can (probably tomorrow) but I can always wait till the next meeting.
16:55:03 <Sicnus> I was kinda caught off guard by you guys awesomeness and willing to help lol
16:55:08 <defionscode> Sicnus one other option is to hit the mailing list, really it's whatever medium you prefer, we'll hear you either way
16:55:29 <Sicnus> kk...  I prefer IRC... but don't want to be too spammy either.
16:55:47 <defionscode> it's usually quite in here sans meeting days
16:55:53 <defionscode> dont worry about spamming
16:56:18 <defionscode> unless you start telling us we are heirs to the gold of some random african prince yadda yadda
16:56:35 <shepdelacreme> sicnus: there is a pretty good example of utilizing the playbooks in this thread as well https://github.com/MindPointGroup/RHEL7-STIG/pull/194
16:57:22 <Sicnus> I tell you what would be amazing... and I know this might not be possible...  (But it may help with documentation going forward)  Is to perhaps have a phone conversation...    I'm not asking for you guys to do everything for me, but... me being a nub might shed some insight into how folks might be coming into the project and help streamline things for other folks.
16:58:20 <defionscode> the problem there is lack of record/transcripts
16:58:29 <Sicnus> aye.
16:59:16 <defionscode> however, there is 'premium' help available through MindPoint Group but that's probably not the best use of $$ in the case of general how-to guidance
16:59:39 <Sicnus> ok, well.  Thanks for the info, again when I get stuff ready again I'll msg you guys.  I'm going to roll back to a previous save spot on one of my clones and retry the playbook again.
17:00:23 <cyberpear> #topic ansible-hardening merger
17:00:43 <cyberpear> how's this coming along?  Are there any easy wins I could help with that would be quick?
17:01:29 <defionscode> right now what we need info on, not sure if odyssey4me mnaser are around, is getting access to openstack testing infra
17:02:19 <defionscode> as far as easy wins, maybe finding any tasks/remediations that AH has that AL does not provide and starting to whip up an 'optional.yml' task file
17:02:54 <defionscode> we want their users to be able to migrate to AL with minimal friction
17:03:10 <defionscode> it'd be 'off' by default and but could be triggered via a var
17:03:24 <defionscode> even identifying a single delta would be a win
17:03:41 <defionscode> something i dont think anyone has gotten around to doing yet
17:03:43 <shepdelacreme> yeah I think making sure the RHEL7 role at a minimum has STIG remediations for everything the AH role does is a start. We are still behind on a few things I think
17:05:36 <cyberpear> I've been hoping to get time to work on RHEL7-STIG, but haven't been able to justify a specific need yet.
17:05:58 <shepdelacreme> I think we are all in the same boat currently :)
17:06:14 <shepdelacreme> I've been OBE lately
17:06:59 <cyberpear> Though, likely a good use of our time, if we could spare it would be to see what we can do to help ComplianceAsCode come up with sane content for RHEL8, since that will be what DISA will use as the basis for their RHEL8 STIG.
17:07:48 <defionscode> can we make a mechanical turk API to delegate some of this work? :P
17:08:45 <defionscode> tbh though, lockdown time I have is probably going to be sunk into RHEL7/merger efforts until that's 'pretty' and then spread my efforts to other roles/things
17:09:47 <shepdelacreme> cyberpear...good to know that DISA derives content from the ComplianceAsCode project. I will see about contributing but like defionscode I'm more focused on getting the RHEL7 role "finished" at this point
17:10:35 <cyberpear> yeah, priorities.  "if I had unlimited time..."
17:10:59 <defionscode> oh and for the really ambitious, rewriting the scanner bits of openscap-scanner to be pure python so scans could be done via ansible w/o needing to install open scap would be super dope
17:11:09 <cyberpear> heh
17:11:32 <cyberpear> I'd be concerned about speed.  What's it written in currently?
17:11:36 <defionscode> i can dream right?
17:11:41 <defionscode> it's in C
17:11:43 <cyberpear> it's an order of magnitude faster than the DISA scanner
17:11:49 <defionscode> maybe CPP
17:11:59 <cyberpear> for speed reasons, -1 to rewriting in python :P
17:12:02 <defionscode> they actually are ok with a rewrite they just dont want to do the work
17:12:18 <defionscode> there is a closed? github issue on making a port in python or go
17:12:28 <shepdelacreme> I vote for Rust!
17:12:30 <shepdelacreme> lol
17:12:32 <cyberpear> you can run ssg content in DISA scanner, but it takes forever
17:12:36 <cyberpear> +1 Rust!
17:12:48 <defionscode> the answer was "we agree it'd be nice, b/c it'd be easier to get contributors...but its stable and bug free...so nah..."
17:13:13 <cyberpear> #topic open floor
17:13:23 <defionscode> the thing is that openscap scanner already has a python binding that it ships with
17:13:23 <cyberpear> any other items for today?
17:13:36 <defionscode> the problem is that it's just a clone of the C methods so it's very terse/verbose
17:13:44 * defionscode haz nothing
17:13:51 <shepdelacreme> I don't have anything further
17:13:59 <defionscode> oh
17:14:02 <defionscode> cyberpear did you get the swag?
17:14:14 <cyberpear> I did, thanks!
17:14:18 <defionscode> solid
17:15:14 <shepdelacreme> nice!
17:17:49 <cyberpear> not super familiar w/ meetbot, but you may need to #chair folks for their #meetingactions to be effective...
17:18:06 <defionscode> i believe you are correct
17:18:09 * cyberpear unsure
17:18:46 <defionscode> i think we're done, shepdelacreme if you want to #endmeeting this
17:18:54 <defionscode> #endmeeting
17:19:00 <defionscode> yeah has to be the chair
17:19:01 <defionscode> :(
17:19:08 <cyberpear> can #chair multiple people
17:19:12 <shepdelacreme> yeah sorry
17:19:21 <shepdelacreme> my first meetbot meeting so I'm doing it wrong I'm sure
17:19:40 <defionscode> just type #endmeeting
17:19:40 <shepdelacreme> is there anything I need to capture before ending?
17:19:46 <defionscode> dont think so
17:19:48 <shepdelacreme> ok
17:19:51 <shepdelacreme> #endmeeting