#ansible-lockdown log

16:11:43 <cyberpear_> #startmeeting Ansible Lockdown Working Group
16:11:43 <zodbot> Meeting started Thu Feb 21 16:11:43 2019 UTC.
16:11:43 <zodbot> This meeting is logged and archived in a public location.
16:11:43 <zodbot> The chair is cyberpear_. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:11:43 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:11:43 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
16:11:44 <shepdelacreme_> I’m going to be doing this via mobile it seems
16:11:54 <cyberpear_> #chair shepdelacreme_
16:11:54 <zodbot> Current chairs: cyberpear_ shepdelacreme_
16:12:26 <cyberpear_> #topic https://github.com/MindPointGroup/RHEL7-STIG/pull/211
16:12:43 <cyberpear_> audit suid/sgid executions
16:13:02 <shepdelacreme_> I think we are good to merge this one in now that it has two reviews?
16:13:03 <cyberpear_> RHEL 7 doesn't have any 32-bit platforms, correct?
16:13:31 <cyberpear_> If I'm correct, we shouldn't have to special-case for 32 vs 64-bit.
16:13:49 <cyberpear_> I'm suspicious that our RHEL6 role doesn't work as expected on 32-bit RHEL6, but I've never tried
16:14:24 <cyberpear_> is defionscode here?
16:14:57 <shepdelacreme_> He is having the same bouncer issue
16:15:20 <shepdelacreme_> I think you are correct about RHEL6 being a prob
16:15:54 <cyberpear_> I think that one checks for x86_## and takes ## to be the arch bits
16:16:13 <cyberpear_> and 32-bit isn't called x86_32, which is something else
16:16:36 <shepdelacreme> Ok
16:16:54 <cyberpear_> but probably no one is using it anyway
16:17:03 <shepdelacreme> You are correct There is no 32 bit version of RHEL 7
16:17:23 <shepdelacreme> So that PR should be gtg
16:17:43 <cyberpear_> sounds good
16:18:22 <cyberpear_> #agreed merge PR#211
16:18:33 <cyberpear_> #topic https://github.com/MindPointGroup/RHEL7-STIG/pull/215 lazy fact gathering
16:19:29 <cyberpear_> our role doesn't require many ansible facts, and on some older hardware, it's very slow to do the gathering.
16:19:50 <shepdelacreme> I think I’m good with this but I think if we do this we should standardize of it
16:19:52 <cyberpear_> this PR "should" allow the playbook to "gather_facts: no" (or in ansible config)
16:20:21 <cyberpear_> did you have any ideas for how to standardize, or just decide now to always support lazy gathering?
16:20:33 <cyberpear_> i.e., change the CI tests to not gather in the playbook level
16:21:06 <cyberpear_> The way I've made the patch, it will only gather if it doesn't have the fact yet.
16:21:28 <shepdelacreme> I think just make sure we have the tasks needed to gather the facts we need and then update CI
16:22:06 <cyberpear_> I'll do a fresh test to make sure I've gotten all the facts needed.
16:22:11 <shepdelacreme> The way you have it is good so it won’t gather twice if someone does turn on gather_facts
16:22:17 <cyberpear_> do you know off hand where to update tests to not gather?
16:22:40 <shepdelacreme> It’s most likely in the molecule folders?
16:22:52 <cyberpear_> ok, i'll take a look
16:23:54 <cyberpear_> #agreed Support 'gather_facts: no' and test for this case
16:24:16 <cyberpear_> #topic Pull Request Reviewers
16:24:36 <cyberpear_> are there any other folks likely to review our PRs?
16:24:55 <shepdelacreme> I think I’ve provided all the reviews I can
16:25:25 <cyberpear_> I appreciate those.
16:25:28 <shepdelacreme> Defionscode and treyp can provide reviews
16:25:35 <cyberpear_> we have a pretty small group here... any ideas on how to grow/
16:26:01 <cyberpear_> (though I guess growing is always hard to force)
16:26:23 <bcoca> break something everyone cares about, then you'll have plenty of people examining the work from this group
16:26:33 <shepdelacreme> We are trying to get some more MindPoint Group folks involved
16:27:08 <shepdelacreme> I think the many of the people that use these roles don’t necessarily feel comfortable with participating in GH
16:27:46 * cyberpear_ wishes we could change that, but it's a gov't culture problem
16:27:59 <cyberpear_> #topic Open Floor
16:28:10 <treyp> ^ yea i was intending to be more involved, but new baby is killing a lot of my free time i used to have after work to do extra stuff :-(
16:28:38 <treyp> should change over next couple months i hope
16:28:38 <cyberpear_> hey, congrats!
16:28:42 <shepdelacreme> No excuses treyp! Lol
16:29:31 <bcoca> teach baby how to code, now you are more productive (congrats!)
16:29:46 <treyp> ^that would be great
16:30:43 <bcoca> https://twitter.com/ansible/status/669233644804956160
16:31:09 <cyberpear_> nice
16:31:18 <cyberpear_> btw, freenode webchat works okay, if your normal IRC method is failing
16:31:28 <cyberpear_> https://webchat.freenode.net
16:33:48 <treyp> ^i recall that onsie back in the day, too bad i did try to snag one while i was there. the shop is also offline now...and hes already grown out of 1/4 of his outfits.
16:35:30 <bcoca> i believe they are sold in RH shop now
16:35:33 <bcoca> dont have link
16:36:22 <cyberpear_> RHEL-07-041002 requires setting 'pam' in /etc/sssd, but does not explicitly require installing sssd.
16:37:22 <cyberpear_> Should we install SSSD to configure it?
16:37:48 <cyberpear_> I lean toward "no" since the rule says 'If the "pam" service is not present on all "services" lines, this is a finding.'
16:38:00 <cyberpear_> but it does not require there to be any 'service' lines
16:38:12 <cyberpear_> but the DISA checker fails if the files are not present
16:38:50 <bcoca> sounds like a bug in the checker
16:38:55 <bcoca> unless sssd is requried
16:39:39 <cyberpear_> the STIG has many bugs, like requiring esc, authconfig-gtk, and pam_pkcs11 for two-factor authentication when it can be done entirely with SSSD alone
16:40:01 <cyberpear_> (neverming pulling in X deps for the -gtk and esc packages)
16:41:04 <cyberpear_> We maintain our roles to match the text of the security docs, but will workaround checker issues if it does not violate the security docs.
16:41:17 <cyberpear_> but installing sssd could fall under 'unnecessary packages'
16:42:48 <cyberpear_> If there's nothing else, I'll end the meeting.
16:44:18 <cyberpear_> #endmeeting