#ansible-lockdown log

20:01:34 <cyberpear> #startmeeting Ansible Lockdown Working Group
20:01:34 <zodbot> Meeting started Thu Mar  5 20:01:34 2020 UTC.
20:01:34 <zodbot> This meeting is logged and archived in a public location.
20:01:34 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:01:34 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
20:01:34 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
20:01:39 <cyberpear> #chair xgeorgex
20:01:39 <zodbot> Current chairs: cyberpear xgeorgex
20:02:01 <cyberpear> #info DISA has released Oracle Linux 7 STIG V1R1
20:02:04 <xgeorgex> Just to get a roll call, is there anyone joined besides cyberpear?
20:02:24 <cyberpear> .hello2
20:02:25 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
20:02:55 * cyberpear hears crickets
20:03:06 <xgeorgex> Lol I think it's just the two of us
20:03:28 <cyberpear> so what's new?
20:03:43 <xgeorgex> I'm still working on getting my stuff fully setup to handle the pr's
20:03:49 <xgeorgex> That should be in the next day or so
20:04:33 <xgeorgex> Also we finished up writing the tasks for the RHEL8 CIS role, which I think we won't over on the last meeting
20:04:58 <xgeorgex> We worked on getting the scoring working, however there isn't a good oscap profile yet
20:05:20 <cyberpear> https://github.com/MindPointGroup/RHEL7-STIG/pull/292 and https://github.com/MindPointGroup/RHEL7-STIG/pull/288 should be good unless there are any concerns
20:05:53 <cyberpear> you mean you have complete remediations for all of CIS on RHEL 8?
20:06:25 <xgeorgex> Yeah and on our side the CIS is done, all of the tasks do what they are expected to do. However I think a big part of the testing factor is being able to give a "it starts at this score and after the role is run you get this score"
20:06:45 <xgeorgex> So I don't think there is any concerns other than our client base liking to see those scores
20:07:23 <xgeorgex> The ones that can be. Some are things like review users have proper permissions
20:07:39 <xgeorgex> And some partition stuffs that can't be done on the fly
20:07:41 <dfed[m]> hello, on my phone and need to drop soon:  I will merge those two this afternoon @cyb
20:07:43 <cyberpear> yeah, those can be a pain
20:07:48 <dfed[m]> cyberpear:
20:07:56 <cyberpear> dfed[m]: thansk
20:08:57 <dfed[m]> xgeorgex: Let's review those against our downstream and make sure we incorporate them on rhel 7 stig
20:08:58 <cyberpear> would be cool if  we could find someone at DISA to join us and help us stay ahead of the game
20:09:05 <xgeorgex> Ok
20:09:07 <dfed[m]> working on that
20:09:10 <dfed[m]> ;)
20:10:06 <cyberpear> There was this https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org/thread/SDPLU7F6MKSWKWQBZTDL7Z4E5BL5OTZH/
20:10:14 <cyberpear> tl;dr: our role is the best one
20:10:56 <xgeorgex> Nice
20:11:01 <cyberpear> what else is up for discussion?
20:11:02 <dfed[m]> where's my surprised face? ;)
20:11:57 <dfed[m]> I gotta run. ping me if you need me
20:12:01 <cyberpear> I know we were going to move some roles over to the ansible-lockdown role?
20:12:08 <cyberpear> *Github org
20:12:23 <dfed[m]> still trying to get the stakeholders at MPG in a room to talk to them about that.
20:12:28 <cyberpear> but that's just a "nice to have" eventually
20:14:00 <xgeorgex> So we covered everything I had for this weeks meeting. Cyberpear, is there anything you wanted to cover
20:14:07 <xgeorgex> Other than the pr stuff?
20:14:38 <cyberpear> I think i'm all set for today.
20:15:19 <cyberpear> #info Several RHEL7-STIG PRs have been merged
20:15:41 <cyberpear> I'll close the meeting in 1 minute if there's nothing else
20:16:04 <cyberpear> actually, one thing
20:16:04 <xgeorgex> I think I'm good right now. I'll be hanging around in here until the end of the day. If anything else comes up let me know
20:16:10 <xgeorgex> sup
20:16:13 <cyberpear> python passlib is not available on RHEL 8
20:16:35 <cyberpear> we're currently using that for generating GRUB password hashes
20:16:46 <cyberpear> so we need a different/better way to do that
20:17:07 <cyberpear> (my guess is that they didn't want to get that library FIPS certified, hence dropping it)
20:17:08 <dfed[m]> we've talked about this on our side too.  agreed. (still not here)
20:17:30 <cyberpear> #info need a replacement for python passlib for grub2 password hashes
20:18:39 <cyberpear> maybe just extract that bit from passlib and add it directly to ansible in a new grub2 option to the existing password hash filter
20:18:46 <cyberpear> assuming it's straightforward
20:19:20 <cyberpear> (since we carry our own password hash filter/plugin, ansible dropped the dep w/o noticing any breakage since we never added our filter back to ansible proper)
20:19:32 <cyberpear> anyway, that's food for thought
20:19:56 <cyberpear> I'll let you have the rest of your time back.
20:20:03 <xgeorgex> Yeah it's something we will need to figure out as well
20:20:23 <xgeorgex> Sounds good, like I said earlier if you think of anything else let me know
20:20:30 <cyberpear> thanks, xgeorgex
20:20:37 <cyberpear> #endmeeting