#ansible-lockdown log

16:41:20 <cyberpear> #startmeeting Ansible Lockdown Working Group
16:41:20 <zodbot> Meeting started Wed Sep 18 16:41:20 2019 UTC.
16:41:20 <zodbot> This meeting is logged and archived in a public location.
16:41:20 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:41:20 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:41:20 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
16:41:43 <dfed[m]> ok what's the outstanding issues from last time?
16:41:57 <dfed[m]> (Trey might not make it due to his schedule)
16:42:44 <dfed[m]> Q: Have we developed an SDK or at least a common env for those who want to contribute?
16:42:47 <cyberpear> There's pending PRs, though I did find one issue w/ the dconf PR, which I'll send a fix for today.
16:42:53 <dfed[m]> (I can do this, btw, I just don't know)
16:43:02 <dfed[m]> oh really? awesome.
16:43:23 <dfed[m]> I'll make sure to review once I see that come in, but also to push downstream to LE too
16:44:12 <cyberpear> I also opened a couple bugs against RHEL7-STIG... both are complaints by DISA content that don't actually impact security...
16:44:33 <cyberpear> it finds a non-compliant dconf setting under distro.d when local.d overrides those
16:44:41 <dfed[m]> interesting.  will check those out
16:44:43 <cyberpear> not sure if we should try to care about that one
16:44:49 <dfed[m]> oh yeah I ran into that
16:45:02 <cyberpear> the other is that they want `install usb-storage /bin/true` instead of our `install usb-storage /bin/false`
16:45:17 <dfed[m]> no we should output a debug message saying local overrides
16:45:22 <cyberpear> half a dozen / 6, but doesn't hurt to do what they want
16:45:29 <cyberpear> both effectively prevent loading usb-storage module
16:45:44 <dfed[m]> oh they swapped the value ok
16:45:51 <dfed[m]> agreed
16:46:32 <dfed[m]> ok ping me when you commit those and I'll review.  I'm tweaking some testing options downstream so I'll have some to push upstream to make that a bit better
16:46:33 <cyberpear> the issue w/ the dconf pr is that lock-delay should be 5 seconds, not 900, since that's the delay of after the screensaver activates before a lock is enforced
16:46:39 <cyberpear> (grace period, so to speak)
16:46:44 <dfed[m]> got it
16:47:11 <cyberpear> otherwise, we're missing a kmod audit rule the DISA content checks, that was added recently.
16:47:21 <cyberpear> so I plan to address lock-delay=5 and kmod audit today.
16:47:24 <dfed[m]> ok let's set an action item for me to do a commit for a contributing.md file with env/testing instructions
16:47:33 <cyberpear> sounds good
16:47:41 <dfed[m]> excellent I look forward to the tweaks
16:47:54 <cyberpear> I think there was a bug somewhere saying we were missing a vagrantfile or something that was referenced (probably from some default readme we have)
16:48:13 <dfed[m]> yeah I wonder if we care about including a vagrant file
16:48:35 <dfed[m]> like I see we have a vagrant molecule role but I have never bothered to use it.  though...it maybe should be what I use locally
16:48:37 <cyberpear> I often end up "testing in production" these days since it's pretty stable, but otherwise spin up on-demand VMs using the convenient method of the day.
16:48:42 <dfed[m]> I'll dig into that later today too
16:48:54 <dfed[m]> yeah I do the same
16:49:04 <dfed[m]> honestly for the most part I test with the docker molecule role before I aim it against vms
16:49:26 <cyberpear> yeah, containers are faster than VMs for startup time
16:49:36 <dfed[m]> I'll include the vagrantfile with the contributing if we want though
16:51:37 <cyberpear> I might add disruption-high functionality to the RHEL6-STIG role, but it'll depend on whether it turns out to be needed for a particular project I'll use it for
16:51:41 <dfed[m]> ok I have those in my todo list for this week
16:51:59 <dfed[m]> interesting, I haven't poked much at rhel-6
16:52:46 <dfed[m]> We have some initial work done on Windows 2k16, but before we open up the upstream repo, I'd like to talk about migrating the content to the ansible-lockdown github group
16:53:02 <cyberpear> yeah, I'm eager for RHEL6 to die, but the remaining legit use case for it is to reproduce deployed systems locally
16:53:07 <dfed[m]> I think we have one role there, but the rest in MPG's repos.  Should we change that and migrate over to that group?
16:53:09 <cyberpear> what did you have in mind?
16:53:46 <dfed[m]> I'd like to get them in to the same area on github.  So I'd like to move the MPG repos over to the ansible-lockdown group's repos.
16:54:06 <dfed[m]> but that will also take coordinating with ansible upstream as they do submodules in their repos of the MPG repos
16:54:06 <cyberpear> I think it makes it look more like a community project to have it under the ansible-lockdown org, but shepdelacreme wanted the PR value of having it under MindPointGroup, which I accepted since MPG has funded much of the dev of those roles
16:54:25 <dfed[m]> hm ok I'll talk to shepdelacreme about that
16:54:35 <dfed[m]> maybe we just mirror in the community not sure
16:54:46 <cyberpear> yeah, I got kicked out of the ansible/ansible-lockdown repo by mistake when they enforced 2FA for github
16:54:56 <cyberpear> (I didn't have it enabled at the time)
16:54:57 <dfed[m]> my thoughts is that one of the hindering factors of community growth may be the scattered nature
16:55:10 <dfed[m]> I think we can add you back
16:55:28 <dfed[m]> I put that on my todo today
16:55:33 <dfed[m]> to add you back
16:56:22 <cyberpear> I'd be in favor of consolidating under ansible-lockdown GitHub org, but will allow you MPG folks decide what you want
16:56:42 * cyberpear digs thru meeting minutes
16:58:23 <cyberpear> unfortunately meetbot.fedoraproject.org is not friendly to Google searches, so might be a lost cause
16:59:06 <dfed[m]> LOL no worries, let's start with the action items in housekeeping around repo consolidation and the contributing things for me, and the commits/PRs from you as our week's items
16:59:19 <cyberpear> sounds good...
16:59:40 <dfed[m]> excellent thanks man.  anything more?
16:59:41 <cyberpear> I think all but my dconf PR are ready for merge... just the minor lock-delay fix for the dconf PR
16:59:55 <cyberpear> I think that's all for today... thanks for your time!
17:00:00 <dfed[m]> I'll get through a review of those this week
17:00:05 <dfed[m]> thanks man!
17:00:18 <cyberpear> #endmeeting