16:24:35 #startmeeting Ansible Lockdown Working Group 16:24:35 Meeting started Thu Jul 25 16:24:35 2019 UTC. 16:24:35 This meeting is logged and archived in a public location. 16:24:35 The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:24:35 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:24:35 The meeting name has been set to 'ansible_lockdown_working_group' 16:24:43 #chair dfed 16:24:43 Current chairs: cyberpear dfed 16:25:32 how are the GUI remediation tasks coming along? 16:26:19 oh I've paused to address some testing internally. I've got those OG changes I used to learn the testing process done, but I'm also tasked with setting up some internal projects. I can do that PR later this week or monday 16:27:07 we're kinda spread out on github, wonder if we shouldn't consolidate and migrate testing to gitlab, since I am doing a ton of work there already, but I suppose that would affect the ansible repo, unless we set up a push from gitlab to the github sources 16:27:16 cool 16:27:26 those are my thoughts today, but I haven't had a lot of coffee so take it with a grain 16:27:40 still haven't looked at gitlab... 16:27:44 you can push to github from gitlab automatically 16:28:10 so we could consolidate our work there with some more fine grained testing etc and push it out to github sources ansible depends on 16:28:15 but again, no coffee. 16:28:16 is the idea to move from GitHub to gitlab? Or is it just for testing 16:28:24 it's both actually. 16:28:33 but I'm not really fully formed on my thoughts there 16:28:53 I was playing with it to see, and I did create this: https://gitlab.com/mindpointgroup/lockdown-community 16:28:57 that's just a pull mirror though 16:29:04 and I'm not doing anythin with it yet 16:29:43 we could reverse the mirror path and push out from those if we wanted. Might help to have them all in one place so I can give them all shared testing 16:30:49 I think it's easier to contribute on GitHub only because of mass adoption... 16:31:05 possibly, but their free tiers don't give us as much as gitlab 16:31:07 (also why I haven't logged into gitlab in months; everything is on github0 16:31:26 and again, this can be pull or push. 16:31:30 makes sense 16:32:13 but also: this isn't me declaring anything, thoughts welcome 16:32:58 In situations where MPG might have to deliver private versions of the community stuff, what I am doing is making sure I can push up to the public gitlab repos, and those could push out the new changes. 16:33:25 not sure how often we get drive-by contributions, but it's certainly easier w/o having to create a new account; I'd stick w/ github as primary w/o compelling reasons to move 16:33:42 (I guess I'm originally a drive-by contributor, too; just I stuck around) 16:33:54 some of those compelling reasons may need a private chat for us. :) 16:34:12 that said, nothing is going to change right now except me pulling to gitlab to do some work 16:34:23 fair enough 16:34:31 ansible is still on github, and they link back to MPG's repos 16:34:40 yep 16:34:43 so we should have a presence, just whether that's upstream or gitlab is 16:34:49 is the question 16:34:53 and I have no bones either way 16:35:28 I can easily automate the contributions from private contracts to wherever we want. 16:35:46 makes sense 16:35:53 but it should be known where my focus ends up, and that's on gitlab. 16:36:10 that's ok, because again, I can push from gitlab to a branch on github 16:36:35 which may bring in the work I've done on cat2 soon anyway, so we can test this out 16:36:50 my gitlab username is @cassell 16:36:56 awesome I'll add you 16:37:19 Do you have anything existing for Firefox STIG on linux, or Oracle Java STIG? 16:37:26 I do not yet 16:37:29 (before I re-invent the wheel) 16:37:33 but I suspect the second one will happen in the next 6 months 16:37:41 I might have something for those in the coming months... 16:37:51 if you create a new repo on github, let me know so I can pull to gitlab too 16:37:58 yep 16:38:24 you are added to gitlab org 16:38:37 you'll need to enable 2fa for that 16:39:05 my goal was mostly to create something central and organized for my work, not to tell the whole community to deal with it and move to gitlab 16:39:06 I see, will do 16:39:30 but, if we like the testing that goes there, and we can pilot with your new ones, it may be a good choice at some point. 16:39:53 I have heard good things about gitlab CI tools 16:39:55 it was trivial to move travis testing over to gitlab-ci and I will be adding more comprehensive linux/OS and windows testing to it 16:40:13 I mean they're awesome, and I learned them in a day this week. 16:40:46 nice 16:41:02 but again, I'm just informing where I am focusing. I am happy to work around the community and push out if I need to. The only rub is the testing gaps that will happen eventually 16:41:25 ie: I'm gonna put a lot into gitlab-ci for development of the windows roles and stuff. 16:41:58 I wonder if github CI "awareness' can be taught about gitlab ci results 16:42:05 (or if it's hard to do) 16:42:29 well there is a snippet you can put in the readme that points back to the gitlab stuff, but it isn't the same snippet as the travis results in the readmes now 16:42:40 so my thoughts are: possibly? 16:42:55 if you have time later I can show you some stuff in a gotomeeting 16:43:27 we can do that 16:43:35 I'll ping you after the meeting with a link 16:43:55 #topic open floor 16:44:08 anyway no action items on the gitlab stuff, just FYI for everyone. I will still push my cat2 changes to rhel-7-stig later this week 16:44:13 anything else meeting related? Any lurkers w/ comments/questions? 16:44:38 * cyberpear looks at relatively short channel member list 16:44:59 I think it's just us. LOL 16:45:26 brb sec, letting the dog out 16:47:16 ok sorry 16:48:38 @cyberpear honestly the java stig would be amazing to help with. I'm excited you ave those in mind 16:49:14 it looks pretty straightforward, from a very brief look 16:50:03 indeed. We have that on our radar, so I'm happy to contribute and help 16:51:34 It's an Oracle Java STIG, but I'd plan to apply it also to OpenJDK (especially now that Oracle requires licenses to use) 16:52:37 indeed, both are on my radar. Another is for me to consolidate rhel-7- stig and cis to vecor based on vars in one role. 16:52:45 *vector 16:52:52 example? 16:52:54 which is going to be a huge lift 16:53:13 instead of having two roles: run the rhel-7-lockdown role and var: stig or var: cis true 16:53:35 based on that var true, it runs the cis benchmark or the stig one. They way overlap 16:53:36 I see, kind of like the ansible-hardening approach 16:53:45 kind of, they did get that approach right, I think 16:53:55 I think knowing where overlaps happen shorten our dev time 16:54:08 certainly 16:54:37 and we already do this with rhel/cent/oracle etc in the stig role, so if we do OS and a benchmark vector we get one more lean role rather than two big ones 16:55:10 but that's a bit further down in my dev work and may honestly just be for rhel 8 when wtig and cis are both out on it 16:55:20 *stig and cis 16:55:51 would be good to show a proof-of-concept w/ one or three tasks, which I've been meaning to do for a while 16:56:04 (just haven't gotten to yet) 16:56:09 yeah 16:57:04 #info plans to have consolidated CIS/STIG role for RHEL 8 16:57:19 #endmeeting