#ansible-lockdown log

19:08:12 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:08:12 <zodbot> Meeting started Thu Aug  6 19:08:12 2020 UTC.
19:08:12 <zodbot> This meeting is logged and archived in a public location.
19:08:12 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:08:12 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:08:12 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:08:19 <cyberpear> #topic Roll Call
19:08:21 <cyberpear> .hello2
19:08:22 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
19:08:26 <dfed> .hello2 (this won
19:08:27 <zodbot> dfed: Sorry, but you don't exist
19:08:28 <dfed> 't work(
19:08:30 <dfed> LOL
19:08:37 <dfed> I need to fix that some day.
19:08:40 <cyberpear> need a FAS account, I think :P
19:08:43 <dfed> yeah.
19:08:47 <dfed> then I can exist!
19:09:07 <cyberpear> #topic Migration to ansible-lockdown GitHub namespace
19:09:29 <dfed> I have 9 total downstream releases to push up to the Ansible Lockdown area in Github
19:09:40 <cyberpear> nice
19:10:21 <dfed> Apache STIG/CIS, TOMCAT 9 STIG/CIS, RHEL 7,8 STIG/CIS, and Win 2k16/2k19 STIG/CIS
19:10:23 <dfed> that's more than 9
19:11:16 <dfed> some of those I think have their upstreams in the MPG space, and if I can, I'll just migrate them directly after pushing our changes
19:11:22 <cyberpear> The duplicates w/ the existing projects under MindPointGroup namespace probably require closer attention to resolve the differences, at least on the STIG side.
19:11:44 <dfed> Yeah maybe what we can do is migrate the upstream then push the downstream to a branch to eval
19:11:55 <cyberpear> yeah, make it a PR or whatever
19:12:17 <dfed> right. I'll do that.  For the windows stuff, I don't think we have an upstream yet (or if we do, it's not complete)
19:12:25 <cyberpear> right
19:12:50 <cyberpear> right, for the "abandoned" windows ones, probably best to just push your downstream changes on top
19:12:51 <dfed> Anyway I start on that today, so we'll see that over the weekend and I should be done by next meeting
19:13:45 <cyberpear> for the more community-active projects, we can send a message to the mailing list about the downstream->upstream PR in case anyone wants to take a look
19:13:55 <cyberpear> RHEL7-STIG and RHEL7-CIS, at least
19:14:17 <dfed> yeah, I forget if I am on that list, or not.  I'll double check later
19:15:53 <cyberpear> #url https://groups.google.com/forum/#!forum/ansible-lockdown
19:16:11 <dfed> That's the one.  I'll get my MPG email on it asap.
19:16:17 <cyberpear> I always have to lookup how to subscribe to those w/o a google account
19:16:32 <dfed> yeah I think I just email it from my account.
19:17:19 <dfed> anyway other than that upstream, I also have a plan to rebuild testing in two ways: 1) resolve the possible exposure of AWS keys with the existing rhel 7 testing (not a great setup) and 2) give us an icon that can show passing build and score in nessus.
19:17:37 <dfed> but, step 1: get the repos upstream, step 2: add the testing.
19:17:38 <cyberpear> that sounds valuable
19:18:03 <dfed> MPG is happy to run the infra to pull the PR requests and test them, so we'll build that once I get everything up there.
19:18:06 <cyberpear> maybe before migrating the MPG repos, look how Travis CI will handle it, or just drop Travis and use GH Actions
19:18:21 <dfed> the plan was to drop travis and use GH actions
19:18:36 <cyberpear> 🎉
19:18:53 <cyberpear> only because it's free, and native to the platform
19:18:54 <dfed> and basically just call out the api to our infra to start the test, and host the build pass/fail results in a way to fix the readmes
19:18:59 <cyberpear> not because I like vendor lock-in
19:19:04 <dfed> agreed
19:20:55 <cyberpear> so it's basically 1. create a new GH repo, then 2. git push
19:21:10 <dfed> yep, then 3. add testing at some point and 4. profit!
19:21:17 <cyberpear> are you trying to strip "sensitive" info out? (or is there none to begin with?)
19:21:43 <cyberpear> I haven't looked how GH handles secrets like API keys, but IIRC, they are aware of such things
19:21:46 <dfed> there's not much in the releases, internally we had a separate release repo to remove gitlab-ci info, etc. from customer view.
19:22:23 <dfed> on gitlab this worked fine as we just automated the pull, prune and commit to release with gpg signature.  So it won't take long to clean out things we don't need.
19:23:07 <cyberpear> sounds good
19:23:35 <dfed> other than that I don't have much news. LOL
19:23:45 <cyberpear> I find it useful to have the git history, but that's only easy if it was written from the beginning, with an eye toward public release
19:24:07 <dfed> yeah it really wasn't, and I myself often may have left a snark or two in comments.
19:24:29 <cyberpear> or perhaps just the history of "release 1.0, release 1.1", etc otherwise so there's some sense of when things changed
19:24:38 <dfed> That will be included if it can be.
19:24:47 <dfed> there's notes as to what we changed in each relewase.
19:25:07 <cyberpear> I could help construct that synthetic release-based into git if you want
19:25:27 <dfed> You know what, that wouldn't be bad.  You wanna chat about that tomorrow or monday?
19:25:45 <cyberpear> sure, let's tackle it Monday
19:26:07 <dfed> ok send me an invite.  I am open after 11am CST
19:26:34 <dfed> I think we can just pull each tag and submit as PRs to the upstream to preserve it, if it has to come down to that
19:26:35 <cyberpear> so maybe 11:30 CST?\
19:26:38 <dfed> sure
19:28:02 <cyberpear> #topic Ansible Collections
19:28:09 <dfed> whoo boy.
19:28:29 <dfed> so yeah we need to move to this eventually.  Perhaps we can do this after we move the roles up as they are?
19:28:52 <cyberpear> I think for ansible-2.11, I'd like to get us included in the "community distribution", previously called "Ansible Community Distribution"/ACD by default, now just called "ansible"
19:29:32 <cyberpear> I think we should keep each role in its own repo, but make a synthetic collection automatically, so we can score high on the search results of Galaxy
19:30:13 <cyberpear> whether that's submodules or a cronjob GH action to automatically pull the changes
19:30:55 <dfed> agreed, likely it can be done with submodules
19:31:57 <cyberpear> separetly, I'm thinking of creating a pip package called `ansible-classic` that doesn't force you to use a "fully qualified collection name" to refer to modules in the New World Order, but can use just the simple name... calling a filter by...
19:32:14 <cyberpear> `"{{ mystring | community.general.regex_search(Myargs)}}"` is silly
19:32:24 <cyberpear> but that's off-topic :P
19:32:25 <dfed> hmm. Interesting, I think I like that idea.
19:33:11 <cyberpear> I don't have anything else on Collecitons topic...
19:33:16 <cyberpear> #topic STIG Updates
19:33:37 <cyberpear> DISA dropped the latest quarterly update, including STIG for RHEL7
19:33:41 <cyberpear> I haven't checked how much changed
19:34:36 <cyberpear> looks like there's also an updated Apache STIG
19:36:04 <dfed> yeah we're going to add that to the current one we have
19:36:37 <cyberpear> looks like they did some deduplication of rules in V2R8, based on the "change history"
19:37:00 <cyberpear> and a bunch of rewording
19:37:09 <cyberpear> and "Updated Check and Fix for "auid!"" for all the audit rules
19:37:18 <cyberpear> haven't looked at the substance yet, though
19:38:03 <cyberpear> I don't have anything else for today
19:38:07 <cyberpear> #topic Open Floor
19:39:14 <dfed> I'm good.  Just got my guitar PLEK'd.
19:39:21 <dfed> other than that I have a boring life. LOL
19:39:25 <cyberpear> nice :P
19:39:32 <cyberpear> boring is good sometimes
19:39:38 <dfed> right now I'll take boring.
19:40:48 <cyberpear> I should go run and do some household chores...
19:40:52 <cyberpear> thanks for meeting!
19:40:58 <dfed> Righto, thanks man!  Talk soon!
19:41:05 <cyberpear> #endmeeting