19:08:12 <cyberpear> #startmeeting Ansible Lockdown Working Group 19:08:12 <zodbot> Meeting started Thu Aug 6 19:08:12 2020 UTC. 19:08:12 <zodbot> This meeting is logged and archived in a public location. 19:08:12 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:08:12 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:08:12 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group' 19:08:19 <cyberpear> #topic Roll Call 19:08:21 <cyberpear> .hello2 19:08:22 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com> 19:08:26 <dfed> .hello2 (this won 19:08:27 <zodbot> dfed: Sorry, but you don't exist 19:08:28 <dfed> 't work( 19:08:30 <dfed> LOL 19:08:37 <dfed> I need to fix that some day. 19:08:40 <cyberpear> need a FAS account, I think :P 19:08:43 <dfed> yeah. 19:08:47 <dfed> then I can exist! 19:09:07 <cyberpear> #topic Migration to ansible-lockdown GitHub namespace 19:09:29 <dfed> I have 9 total downstream releases to push up to the Ansible Lockdown area in Github 19:09:40 <cyberpear> nice 19:10:21 <dfed> Apache STIG/CIS, TOMCAT 9 STIG/CIS, RHEL 7,8 STIG/CIS, and Win 2k16/2k19 STIG/CIS 19:10:23 <dfed> that's more than 9 19:11:16 <dfed> some of those I think have their upstreams in the MPG space, and if I can, I'll just migrate them directly after pushing our changes 19:11:22 <cyberpear> The duplicates w/ the existing projects under MindPointGroup namespace probably require closer attention to resolve the differences, at least on the STIG side. 19:11:44 <dfed> Yeah maybe what we can do is migrate the upstream then push the downstream to a branch to eval 19:11:55 <cyberpear> yeah, make it a PR or whatever 19:12:17 <dfed> right. I'll do that. For the windows stuff, I don't think we have an upstream yet (or if we do, it's not complete) 19:12:25 <cyberpear> right 19:12:50 <cyberpear> right, for the "abandoned" windows ones, probably best to just push your downstream changes on top 19:12:51 <dfed> Anyway I start on that today, so we'll see that over the weekend and I should be done by next meeting 19:13:45 <cyberpear> for the more community-active projects, we can send a message to the mailing list about the downstream->upstream PR in case anyone wants to take a look 19:13:55 <cyberpear> RHEL7-STIG and RHEL7-CIS, at least 19:14:17 <dfed> yeah, I forget if I am on that list, or not. I'll double check later 19:15:53 <cyberpear> #url https://groups.google.com/forum/#!forum/ansible-lockdown 19:16:11 <dfed> That's the one. I'll get my MPG email on it asap. 19:16:17 <cyberpear> I always have to lookup how to subscribe to those w/o a google account 19:16:32 <dfed> yeah I think I just email it from my account. 19:17:19 <dfed> anyway other than that upstream, I also have a plan to rebuild testing in two ways: 1) resolve the possible exposure of AWS keys with the existing rhel 7 testing (not a great setup) and 2) give us an icon that can show passing build and score in nessus. 19:17:37 <dfed> but, step 1: get the repos upstream, step 2: add the testing. 19:17:38 <cyberpear> that sounds valuable 19:18:03 <dfed> MPG is happy to run the infra to pull the PR requests and test them, so we'll build that once I get everything up there. 19:18:06 <cyberpear> maybe before migrating the MPG repos, look how Travis CI will handle it, or just drop Travis and use GH Actions 19:18:21 <dfed> the plan was to drop travis and use GH actions 19:18:36 <cyberpear> 🎉 19:18:53 <cyberpear> only because it's free, and native to the platform 19:18:54 <dfed> and basically just call out the api to our infra to start the test, and host the build pass/fail results in a way to fix the readmes 19:18:59 <cyberpear> not because I like vendor lock-in 19:19:04 <dfed> agreed 19:20:55 <cyberpear> so it's basically 1. create a new GH repo, then 2. git push 19:21:10 <dfed> yep, then 3. add testing at some point and 4. profit! 19:21:17 <cyberpear> are you trying to strip "sensitive" info out? (or is there none to begin with?) 19:21:43 <cyberpear> I haven't looked how GH handles secrets like API keys, but IIRC, they are aware of such things 19:21:46 <dfed> there's not much in the releases, internally we had a separate release repo to remove gitlab-ci info, etc. from customer view. 19:22:23 <dfed> on gitlab this worked fine as we just automated the pull, prune and commit to release with gpg signature. So it won't take long to clean out things we don't need. 19:23:07 <cyberpear> sounds good 19:23:35 <dfed> other than that I don't have much news. LOL 19:23:45 <cyberpear> I find it useful to have the git history, but that's only easy if it was written from the beginning, with an eye toward public release 19:24:07 <dfed> yeah it really wasn't, and I myself often may have left a snark or two in comments. 19:24:29 <cyberpear> or perhaps just the history of "release 1.0, release 1.1", etc otherwise so there's some sense of when things changed 19:24:38 <dfed> That will be included if it can be. 19:24:47 <dfed> there's notes as to what we changed in each relewase. 19:25:07 <cyberpear> I could help construct that synthetic release-based into git if you want 19:25:27 <dfed> You know what, that wouldn't be bad. You wanna chat about that tomorrow or monday? 19:25:45 <cyberpear> sure, let's tackle it Monday 19:26:07 <dfed> ok send me an invite. I am open after 11am CST 19:26:34 <dfed> I think we can just pull each tag and submit as PRs to the upstream to preserve it, if it has to come down to that 19:26:35 <cyberpear> so maybe 11:30 CST?\ 19:26:38 <dfed> sure 19:28:02 <cyberpear> #topic Ansible Collections 19:28:09 <dfed> whoo boy. 19:28:29 <dfed> so yeah we need to move to this eventually. Perhaps we can do this after we move the roles up as they are? 19:28:52 <cyberpear> I think for ansible-2.11, I'd like to get us included in the "community distribution", previously called "Ansible Community Distribution"/ACD by default, now just called "ansible" 19:29:32 <cyberpear> I think we should keep each role in its own repo, but make a synthetic collection automatically, so we can score high on the search results of Galaxy 19:30:13 <cyberpear> whether that's submodules or a cronjob GH action to automatically pull the changes 19:30:55 <dfed> agreed, likely it can be done with submodules 19:31:57 <cyberpear> separetly, I'm thinking of creating a pip package called `ansible-classic` that doesn't force you to use a "fully qualified collection name" to refer to modules in the New World Order, but can use just the simple name... calling a filter by... 19:32:14 <cyberpear> `"{{ mystring | community.general.regex_search(Myargs)}}"` is silly 19:32:24 <cyberpear> but that's off-topic :P 19:32:25 <dfed> hmm. Interesting, I think I like that idea. 19:33:11 <cyberpear> I don't have anything else on Collecitons topic... 19:33:16 <cyberpear> #topic STIG Updates 19:33:37 <cyberpear> DISA dropped the latest quarterly update, including STIG for RHEL7 19:33:41 <cyberpear> I haven't checked how much changed 19:34:36 <cyberpear> looks like there's also an updated Apache STIG 19:36:04 <dfed> yeah we're going to add that to the current one we have 19:36:37 <cyberpear> looks like they did some deduplication of rules in V2R8, based on the "change history" 19:37:00 <cyberpear> and a bunch of rewording 19:37:09 <cyberpear> and "Updated Check and Fix for "auid!"" for all the audit rules 19:37:18 <cyberpear> haven't looked at the substance yet, though 19:38:03 <cyberpear> I don't have anything else for today 19:38:07 <cyberpear> #topic Open Floor 19:39:14 <dfed> I'm good. Just got my guitar PLEK'd. 19:39:21 <dfed> other than that I have a boring life. LOL 19:39:25 <cyberpear> nice :P 19:39:32 <cyberpear> boring is good sometimes 19:39:38 <dfed> right now I'll take boring. 19:40:48 <cyberpear> I should go run and do some household chores... 19:40:52 <cyberpear> thanks for meeting! 19:40:58 <dfed> Righto, thanks man! Talk soon! 19:41:05 <cyberpear> #endmeeting