16:41:20 #startmeeting Ansible Lockdown Working Group 16:41:20 Meeting started Wed Sep 18 16:41:20 2019 UTC. 16:41:20 This meeting is logged and archived in a public location. 16:41:20 The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:41:20 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:41:20 The meeting name has been set to 'ansible_lockdown_working_group' 16:41:43 ok what's the outstanding issues from last time? 16:41:57 (Trey might not make it due to his schedule) 16:42:44 Q: Have we developed an SDK or at least a common env for those who want to contribute? 16:42:47 There's pending PRs, though I did find one issue w/ the dconf PR, which I'll send a fix for today. 16:42:53 (I can do this, btw, I just don't know) 16:43:02 oh really? awesome. 16:43:23 I'll make sure to review once I see that come in, but also to push downstream to LE too 16:44:12 I also opened a couple bugs against RHEL7-STIG... both are complaints by DISA content that don't actually impact security... 16:44:33 it finds a non-compliant dconf setting under distro.d when local.d overrides those 16:44:41 interesting. will check those out 16:44:43 not sure if we should try to care about that one 16:44:49 oh yeah I ran into that 16:45:02 the other is that they want `install usb-storage /bin/true` instead of our `install usb-storage /bin/false` 16:45:17 no we should output a debug message saying local overrides 16:45:22 half a dozen / 6, but doesn't hurt to do what they want 16:45:29 both effectively prevent loading usb-storage module 16:45:44 oh they swapped the value ok 16:45:51 agreed 16:46:32 ok ping me when you commit those and I'll review. I'm tweaking some testing options downstream so I'll have some to push upstream to make that a bit better 16:46:33 the issue w/ the dconf pr is that lock-delay should be 5 seconds, not 900, since that's the delay of after the screensaver activates before a lock is enforced 16:46:39 (grace period, so to speak) 16:46:44 got it 16:47:11 otherwise, we're missing a kmod audit rule the DISA content checks, that was added recently. 16:47:21 so I plan to address lock-delay=5 and kmod audit today. 16:47:24 ok let's set an action item for me to do a commit for a contributing.md file with env/testing instructions 16:47:33 sounds good 16:47:41 excellent I look forward to the tweaks 16:47:54 I think there was a bug somewhere saying we were missing a vagrantfile or something that was referenced (probably from some default readme we have) 16:48:13 yeah I wonder if we care about including a vagrant file 16:48:35 like I see we have a vagrant molecule role but I have never bothered to use it. though...it maybe should be what I use locally 16:48:37 I often end up "testing in production" these days since it's pretty stable, but otherwise spin up on-demand VMs using the convenient method of the day. 16:48:42 I'll dig into that later today too 16:48:54 yeah I do the same 16:49:04 honestly for the most part I test with the docker molecule role before I aim it against vms 16:49:26 yeah, containers are faster than VMs for startup time 16:49:36 I'll include the vagrantfile with the contributing if we want though 16:51:37 I might add disruption-high functionality to the RHEL6-STIG role, but it'll depend on whether it turns out to be needed for a particular project I'll use it for 16:51:41 ok I have those in my todo list for this week 16:51:59 interesting, I haven't poked much at rhel-6 16:52:46 We have some initial work done on Windows 2k16, but before we open up the upstream repo, I'd like to talk about migrating the content to the ansible-lockdown github group 16:53:02 yeah, I'm eager for RHEL6 to die, but the remaining legit use case for it is to reproduce deployed systems locally 16:53:07 I think we have one role there, but the rest in MPG's repos. Should we change that and migrate over to that group? 16:53:09 what did you have in mind? 16:53:46 I'd like to get them in to the same area on github. So I'd like to move the MPG repos over to the ansible-lockdown group's repos. 16:54:06 but that will also take coordinating with ansible upstream as they do submodules in their repos of the MPG repos 16:54:06 I think it makes it look more like a community project to have it under the ansible-lockdown org, but shepdelacreme wanted the PR value of having it under MindPointGroup, which I accepted since MPG has funded much of the dev of those roles 16:54:25 hm ok I'll talk to shepdelacreme about that 16:54:35 maybe we just mirror in the community not sure 16:54:46 yeah, I got kicked out of the ansible/ansible-lockdown repo by mistake when they enforced 2FA for github 16:54:56 (I didn't have it enabled at the time) 16:54:57 my thoughts is that one of the hindering factors of community growth may be the scattered nature 16:55:10 I think we can add you back 16:55:28 I put that on my todo today 16:55:33 to add you back 16:56:22 I'd be in favor of consolidating under ansible-lockdown GitHub org, but will allow you MPG folks decide what you want 16:56:42 * cyberpear digs thru meeting minutes 16:58:23 unfortunately meetbot.fedoraproject.org is not friendly to Google searches, so might be a lost cause 16:59:06 LOL no worries, let's start with the action items in housekeeping around repo consolidation and the contributing things for me, and the commits/PRs from you as our week's items 16:59:19 sounds good... 16:59:40 excellent thanks man. anything more? 16:59:41 I think all but my dconf PR are ready for merge... just the minor lock-delay fix for the dconf PR 16:59:55 I think that's all for today... thanks for your time! 17:00:00 I'll get through a review of those this week 17:00:05 thanks man! 17:00:18 #endmeeting