#ansible-lockdown log

16:00:50 <cyberpear> #startmeeting Ansible Lockdown Working Group
16:00:51 <zodbot> Meeting started Thu May 16 16:00:50 2019 UTC.
16:00:51 <zodbot> This meeting is logged and archived in a public location.
16:00:51 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:51 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:51 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
16:01:10 <cyberpear> #chair shepdelacreme defionscode
16:01:10 <zodbot> Current chairs: cyberpear defionscode shepdelacreme
16:01:22 <shepdelacreme> hello!
16:02:00 <cyberpear> so RHEL 8 came out
16:02:45 <cyberpear> based on looking over the release notes, the RHEL7-STIG role could likely run against it with minor tweaks, in the absence of a RHEL 8 STIG being available
16:02:57 <cyberpear> simple things like updated paths to audit config files
16:03:06 <cyberpear> chrony instead of ntp (which we already do)
16:03:31 <shepdelacreme> ok
16:04:26 <shepdelacreme> We should see about maybe adding in some RHEL 8 to the testing and then we can experiment on a branch to see what needs to change
16:04:27 <cyberpear> it was 2.5 years between the relase of RHEL 7 and the RHEL 7 STIG
16:04:43 <shepdelacreme> yeah it will take DISA a good long while to release anything
16:04:43 <cyberpear> (so I don't expect a STIG for RHEL 8 anytime soon)
16:05:46 <shepdelacreme> I'm for exploring applying it to RHEL 8
16:06:08 <cyberpear> folks definitely want features in RHEL 8, though, and need /something/ to show their security/compliance departments, so I'm going to propose running RHEL7-STIG on RHEL 8, as much as that doesn't sound like the best idea
16:06:31 <cyberpear> fips mode breaks yum and/or subscription-manager, though :(
16:07:09 <cyberpear> they vastly improved fips, otherwise: `fips-mode-setup --enable` is all you need!
16:08:13 <shepdelacreme> no more of the dracut grub update dance?
16:08:22 <cyberpear> nope! :P
16:08:26 <shepdelacreme> nice!
16:08:53 <cyberpear> that's all my comments for now on RHEL 8...
16:09:20 <cyberpear> #topic TMOUT
16:09:58 <cyberpear> a co-worker and I were considering having the TMOUT=600 setting not take effect if the shell is opened in a screen session, and instead add a default screenrc to disconnect the screen session after the delay
16:10:25 <cyberpear> that way, folks can come back to their work, rather than coming back to an ended screen session
16:10:44 <cyberpear> (and for RHEL 8, that becomes tmux)
16:11:28 <cyberpear> same idea for terminals opened w/in a gnome session w/ a gnome screen lock
16:11:41 <cyberpear> currently, if you open gnome-terminal, it auto-closes after 10 minutes
16:11:52 <shepdelacreme> it is probably a reasonable thing but I'm not sure about how DISA would interpret things
16:11:53 <cyberpear> (but screenrc is the first target in mind)
16:12:11 <shepdelacreme> which STIG IDs does the change affect?
16:12:47 <cyberpear> RHEL-07-040160
16:14:01 <bcoca> fyi, ansible 2.8 (about to be released) is needed to support RHEL8 due to python and yum/dnf issues  (you can  handle it with older versions but its a lot of work)
16:14:54 <cyberpear> bcoca: due today, right?
16:15:02 <shepdelacreme> good to know
16:15:27 <cyberpear> (it fixes needing to set ansible_python_interpreter)
16:16:42 <cyberpear> the Check Text is just a grep for `tmout` so if we armor it, the check would still pass
16:17:01 <shepdelacreme> So it looks like the intent of the control (040160) is to terminate "network connections" associated with communication sessions so I don't think allowing screen or tmux session to remain active would run afoul of that
16:17:13 <cyberpear> agreed
16:17:39 <cyberpear> I still haven't had the time to e-mail DISA w/ the various STIG questions... some day
16:18:58 <cyberpear> I don't have anything further at the moment
16:19:18 <cyberpear> #topic Open Floor
16:21:19 <shepdelacreme> I don't have anything.
16:21:41 <shepdelacreme> I need to review some of the changes that came in on the RHEL7-CIS role I think but other than that nothing
16:22:38 <cyberpear> oh, V2R3 allows tmux instead of screen
16:23:57 <cyberpear> and no more authconfig-gtk!
16:24:15 <shepdelacreme> ah yeah I forgot that a new rev wwas released
16:24:18 <cyberpear> (apparently, I need to diff the docs and not rely on DISA's changelog)
16:24:30 <cyberpear> those weren't mentioned in the changelog
16:24:49 <shepdelacreme> the changelog is terrible
16:24:50 * cyberpear rolls eyes
16:25:07 <cyberpear> I need to update the ticket that says "no changes needed for V2R3"
16:25:16 <shepdelacreme> when they did the V1 to V2 release I think I diff'd the scap XML content and then cleaned it up to get a decent set of changes
16:25:38 <cyberpear> that was the worst, yes
16:26:19 <cyberpear> #action cyberpear to update V2R3 ticket with needed changes
16:26:45 <cyberpear> the changelog didn't mention 15 updated rules
16:27:01 <cyberpear> anyway, nothing further from me (probably)
16:27:31 <shepdelacreme> ok
16:27:52 <shepdelacreme> I'm done as well
16:28:31 <cyberpear> #endmeeting