16:00:50 #startmeeting Ansible Lockdown Working Group 16:00:51 Meeting started Thu May 16 16:00:50 2019 UTC. 16:00:51 This meeting is logged and archived in a public location. 16:00:51 The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:51 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:00:51 The meeting name has been set to 'ansible_lockdown_working_group' 16:01:10 #chair shepdelacreme defionscode 16:01:10 Current chairs: cyberpear defionscode shepdelacreme 16:01:22 hello! 16:02:00 so RHEL 8 came out 16:02:45 based on looking over the release notes, the RHEL7-STIG role could likely run against it with minor tweaks, in the absence of a RHEL 8 STIG being available 16:02:57 simple things like updated paths to audit config files 16:03:06 chrony instead of ntp (which we already do) 16:03:31 ok 16:04:26 We should see about maybe adding in some RHEL 8 to the testing and then we can experiment on a branch to see what needs to change 16:04:27 it was 2.5 years between the relase of RHEL 7 and the RHEL 7 STIG 16:04:43 yeah it will take DISA a good long while to release anything 16:04:43 (so I don't expect a STIG for RHEL 8 anytime soon) 16:05:46 I'm for exploring applying it to RHEL 8 16:06:08 folks definitely want features in RHEL 8, though, and need /something/ to show their security/compliance departments, so I'm going to propose running RHEL7-STIG on RHEL 8, as much as that doesn't sound like the best idea 16:06:31 fips mode breaks yum and/or subscription-manager, though :( 16:07:09 they vastly improved fips, otherwise: `fips-mode-setup --enable` is all you need! 16:08:13 no more of the dracut grub update dance? 16:08:22 nope! :P 16:08:26 nice! 16:08:53 that's all my comments for now on RHEL 8... 16:09:20 #topic TMOUT 16:09:58 a co-worker and I were considering having the TMOUT=600 setting not take effect if the shell is opened in a screen session, and instead add a default screenrc to disconnect the screen session after the delay 16:10:25 that way, folks can come back to their work, rather than coming back to an ended screen session 16:10:44 (and for RHEL 8, that becomes tmux) 16:11:28 same idea for terminals opened w/in a gnome session w/ a gnome screen lock 16:11:41 currently, if you open gnome-terminal, it auto-closes after 10 minutes 16:11:52 it is probably a reasonable thing but I'm not sure about how DISA would interpret things 16:11:53 (but screenrc is the first target in mind) 16:12:11 which STIG IDs does the change affect? 16:12:47 RHEL-07-040160 16:14:01 fyi, ansible 2.8 (about to be released) is needed to support RHEL8 due to python and yum/dnf issues (you can handle it with older versions but its a lot of work) 16:14:54 bcoca: due today, right? 16:15:02 good to know 16:15:27 (it fixes needing to set ansible_python_interpreter) 16:16:42 the Check Text is just a grep for `tmout` so if we armor it, the check would still pass 16:17:01 So it looks like the intent of the control (040160) is to terminate "network connections" associated with communication sessions so I don't think allowing screen or tmux session to remain active would run afoul of that 16:17:13 agreed 16:17:39 I still haven't had the time to e-mail DISA w/ the various STIG questions... some day 16:18:58 I don't have anything further at the moment 16:19:18 #topic Open Floor 16:21:19 I don't have anything. 16:21:41 I need to review some of the changes that came in on the RHEL7-CIS role I think but other than that nothing 16:22:38 oh, V2R3 allows tmux instead of screen 16:23:57 and no more authconfig-gtk! 16:24:15 ah yeah I forgot that a new rev wwas released 16:24:18 (apparently, I need to diff the docs and not rely on DISA's changelog) 16:24:30 those weren't mentioned in the changelog 16:24:49 the changelog is terrible 16:24:50 * cyberpear rolls eyes 16:25:07 I need to update the ticket that says "no changes needed for V2R3" 16:25:16 when they did the V1 to V2 release I think I diff'd the scap XML content and then cleaned it up to get a decent set of changes 16:25:38 that was the worst, yes 16:26:19 #action cyberpear to update V2R3 ticket with needed changes 16:26:45 the changelog didn't mention 15 updated rules 16:27:01 anyway, nothing further from me (probably) 16:27:31 ok 16:27:52 I'm done as well 16:28:31 #endmeeting