#ansible-lockdown log

16:24:35 <cyberpear> #startmeeting Ansible Lockdown Working Group
16:24:35 <zodbot> Meeting started Thu Jul 25 16:24:35 2019 UTC.
16:24:35 <zodbot> This meeting is logged and archived in a public location.
16:24:35 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:24:35 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:24:35 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
16:24:43 <cyberpear> #chair dfed
16:24:43 <zodbot> Current chairs: cyberpear dfed
16:25:32 <cyberpear> how are the GUI remediation tasks coming along?
16:26:19 <dfed> oh I've paused to address some testing internally.  I've got those OG changes I used to learn the testing process done, but I'm also tasked with setting up some internal projects. I can do that PR later this week or monday
16:27:07 <dfed> we're kinda spread out on github, wonder if we shouldn't consolidate and migrate testing to gitlab, since I am doing a ton of work there already, but I suppose that would affect the ansible repo, unless we set up a push from gitlab to the github sources
16:27:16 <cyberpear> cool
16:27:26 <dfed> those are my thoughts today, but I haven't had a lot of coffee so take it with a grain
16:27:40 <cyberpear> still haven't looked at gitlab...
16:27:44 <dfed> you can push to github from gitlab automatically
16:28:10 <dfed> so we could consolidate our work there with some more fine grained testing etc and push it out to github sources ansible depends on
16:28:15 <dfed> but again, no coffee.
16:28:16 <cyberpear> is the idea to move from GitHub to gitlab? Or is it just for testing
16:28:24 <dfed> it's both actually.
16:28:33 <dfed> but I'm not really fully formed on my thoughts there
16:28:53 <dfed> I was playing with it to see, and I did create this: https://gitlab.com/mindpointgroup/lockdown-community
16:28:57 <dfed> that's just a pull mirror though
16:29:04 <dfed> and I'm not doing anythin with it yet
16:29:43 <dfed> we could reverse the mirror path and push out from those if we wanted. Might help to have them all in one place so I can give them all shared testing
16:30:49 <cyberpear> I think it's easier to contribute on GitHub only because of mass adoption...
16:31:05 <dfed> possibly, but their free tiers don't give us as much as gitlab
16:31:07 <cyberpear> (also why I haven't logged into gitlab in months; everything is on github0
16:31:26 <dfed> and again, this can be pull or push.
16:31:30 <cyberpear> makes sense
16:32:13 <dfed> but also: this isn't me declaring anything, thoughts welcome
16:32:58 <dfed> In situations where MPG might have to deliver private versions of the community stuff, what I am doing is making sure I can push up to the public gitlab repos, and those could push out the new changes.
16:33:25 <cyberpear> not sure how often we get drive-by contributions, but it's certainly easier w/o having to create a new account; I'd stick w/ github as primary w/o compelling reasons to move
16:33:42 <cyberpear> (I guess I'm originally a drive-by contributor, too; just I stuck around)
16:33:54 <dfed> some of those compelling reasons may need a private chat for us. :)
16:34:12 <dfed> that said, nothing is going to change right now except me pulling to gitlab to do some work
16:34:23 <cyberpear> fair enough
16:34:31 <dfed> ansible is still on github, and they link back to MPG's repos
16:34:40 <cyberpear> yep
16:34:43 <dfed> so we should have a presence, just whether that's upstream or gitlab is
16:34:49 <dfed> is the question
16:34:53 <dfed> and I have no bones either way
16:35:28 <dfed> I can easily automate the contributions from private contracts to wherever we want.
16:35:46 <cyberpear> makes sense
16:35:53 <dfed> but it should be known where my focus ends up, and that's on gitlab.
16:36:10 <dfed> that's ok, because again, I can push from gitlab to a branch on github
16:36:35 <dfed> which may bring in the work I've done on cat2 soon anyway, so we can test this out
16:36:50 <cyberpear> my gitlab username is @cassell
16:36:56 <dfed> awesome I'll add you
16:37:19 <cyberpear> Do you have anything existing for Firefox STIG on linux, or Oracle Java STIG?
16:37:26 <dfed> I do not yet
16:37:29 <cyberpear> (before I re-invent the wheel)
16:37:33 <dfed> but I suspect the second one will happen in the next 6 months
16:37:41 <cyberpear> I might have something for those in the coming months...
16:37:51 <dfed> if you create a new repo on github, let me know so I can pull to gitlab too
16:37:58 <cyberpear> yep
16:38:24 <dfed> you are added to gitlab org
16:38:37 <dfed> you'll need to enable 2fa for that
16:39:05 <dfed> my goal was mostly to create something central and organized for my work, not to tell the whole community to deal with it and move to gitlab
16:39:06 <cyberpear> I see, will do
16:39:30 <dfed> but, if we like the testing that goes there, and we can pilot with your new ones, it may be a good choice at some point.
16:39:53 <cyberpear> I have heard good things about gitlab CI tools
16:39:55 <dfed> it was trivial to move travis testing over to gitlab-ci and I will be adding more comprehensive linux/OS and windows testing to it
16:40:13 <dfed> I mean they're awesome, and I learned them in a day this week.
16:40:46 <cyberpear> nice
16:41:02 <dfed> but again, I'm just informing where I am focusing. I am happy to work around the community and push out if I need to.  The only rub is the testing gaps that will happen eventually
16:41:25 <dfed> ie: I'm gonna put a lot into gitlab-ci for development of the windows roles and stuff.
16:41:58 <cyberpear> I wonder if github CI "awareness' can be taught about gitlab ci results
16:42:05 <cyberpear> (or if it's hard to do)
16:42:29 <dfed> well there is a snippet you can put in the readme that points back to the gitlab stuff, but it isn't the same snippet as the travis results in the readmes now
16:42:40 <dfed> so my thoughts are: possibly?
16:42:55 <dfed> if you have time later I can show you some stuff in a gotomeeting
16:43:27 <cyberpear> we can do that
16:43:35 <dfed> I'll ping you after the meeting with a link
16:43:55 <cyberpear> #topic open floor
16:44:08 <dfed> anyway no action items on the gitlab stuff, just FYI for everyone.  I will still push my cat2 changes to rhel-7-stig later this week
16:44:13 <cyberpear> anything else meeting related?  Any lurkers w/ comments/questions?
16:44:38 * cyberpear looks at relatively short channel member list
16:44:59 <dfed> I think it's just us. LOL
16:45:26 <dfed> brb sec, letting the dog out
16:47:16 <dfed> ok sorry
16:48:38 <dfed> @cyberpear honestly the java stig would be amazing to help with.  I'm excited you ave those in mind
16:49:14 <cyberpear> it looks pretty straightforward, from a very brief look
16:50:03 <dfed> indeed.  We have that on our radar, so I'm happy to contribute and help
16:51:34 <cyberpear> It's an Oracle Java STIG, but I'd plan to apply it also to OpenJDK (especially now that Oracle requires licenses to use)
16:52:37 <dfed> indeed, both are on my radar. Another is for me to consolidate rhel-7- stig and cis to vecor based on vars in one role.
16:52:45 <dfed> *vector
16:52:52 <cyberpear> example?
16:52:54 <dfed> which is going to be a huge lift
16:53:13 <dfed> instead of having two roles: run the rhel-7-lockdown role and var: stig or var: cis true
16:53:35 <dfed> based on that var true, it runs the cis benchmark or the stig one.  They way overlap
16:53:36 <cyberpear> I see, kind of like the ansible-hardening approach
16:53:45 <dfed> kind of, they did get that approach right, I think
16:53:55 <dfed> I think knowing where overlaps happen shorten our dev time
16:54:08 <cyberpear> certainly
16:54:37 <dfed> and we already do this with rhel/cent/oracle etc in the stig role, so if we do OS and a benchmark vector we get one more lean role rather than two big ones
16:55:10 <dfed> but that's a bit further down in my dev work and may honestly just be for rhel 8 when wtig and cis are both out on it
16:55:20 <dfed> *stig and cis
16:55:51 <cyberpear> would be good to show a proof-of-concept w/ one or three tasks, which I've been meaning to do for a while
16:56:04 <cyberpear> (just haven't gotten to yet)
16:56:09 <dfed> yeah
16:57:04 <cyberpear> #info plans to have consolidated CIS/STIG role for RHEL 8
16:57:19 <cyberpear> #endmeeting