#ansible-lockdown log

19:34:11 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:34:11 <zodbot> Meeting started Thu Apr  9 19:34:11 2020 UTC.
19:34:11 <zodbot> This meeting is logged and archived in a public location.
19:34:11 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:34:11 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:34:11 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:34:55 <cyberpear> I merged a bunch of the CIS role PRs, then had to revert one of them b/c of a conflict that caused failed tests
19:35:31 <cyberpear> I don't want them to linger and have contributors get discouraged, but I don't actually use the RHEL CIS role myself.
19:35:51 <xgeorgex> Ok. David is still working on transferring the repos on GitHub to community
19:36:01 <cyberpear> sounds good
19:36:14 <xgeorgex> It sounds like he's close to making that happen, but he's still working on it
19:37:14 <cyberpear> I want to get a good role template going to allow us to re-use tasks across different security standards, with such a role runing the relevant task subset based upon the selected standard
19:38:16 <cyberpear> SCAP Security Guide has a process where they template out entire ansible tasks, but their approach is backwards: they use jinja to lay down the tasks, instead of jinja within the tasks to affect behavior
19:38:17 <xgeorgex> nice. That was something that we have talked about on our side
19:38:25 <cyberpear> the result is a giant mess
19:38:46 <xgeorgex> I think as something once we get a few of the recent payed for roles finished up
19:39:04 <xgeorgex> Oh that's weird
19:39:57 <xgeorgex> I updated the Oscap stuff in the RHEL7 stig role yesterday. Apparently the profile name for rhel7 stig changed
19:40:18 <cyberpear> that seems to happen from time to time
19:41:16 <cyberpear> Seems the oscap part would be best as a separate role, to avoid duplication of effort across roles.
19:42:45 <xgeorgex> That's a good idea. That's how it was when I picked things up back in December, so I'm not sure if there are reasons for it be included in the roles
19:42:56 <cyberpear> then we can include the optionally oscap role at the start and end as/if requested by the role user
19:43:08 <cyberpear> using `include_role`
19:44:16 <xgeorgex> That's def. stuff to run by dfed to get his input on that. I can make a note to ask him about it
19:44:18 <cyberpear> worst case, use `git subtree` and have a copy in each role, but only ever update the master copy, then re-copy, kind of like how golang likes to `vendor/` stuff into a directory
19:44:52 <cyberpear> I really don't like having lots of copies of things around, but if you do, have a clear indication of where is the master copy
19:47:02 <dfed[m]> I have always meant to separate out oscap and molecule testing from the roles to use one subtree.
19:47:15 <dfed[m]> in my copious amounts of spare time
19:47:26 <xgeorgex> Yeah the more things around the more confusing and/or likeliness to get things mucked up are. For me the slimmer things are the better
19:47:28 <cyberpear> (and/or submodules, depending on your preference)
19:48:12 <cyberpear> I tend toward "one role per discrete task", but that doesn't necessarily scale w/ "security standard" roles
19:49:00 <xgeorgex> yeah
19:49:05 <cyberpear> for example, my nss-module role really should be an ansible module, but it's a role with module-like inputs: https://github.com/jamescassell/ansible-role-nss-module
19:49:51 <cyberpear> #chair xgeorgex dfed[m]
19:49:51 <zodbot> Current chairs: cyberpear dfed[m] xgeorgex
19:50:00 <cyberpear> anything else new?
19:50:21 <xgeorgex> I finished up a pre 1.0 release of apache stig
19:50:28 <cyberpear> cool!
19:50:35 <xgeorgex> It's for both RHEL and ubuntu
19:50:37 <cyberpear> I might try to check that one out
19:50:58 <cyberpear> until now, I've been pushing folks to use nginx solely because there's no STIG to implement for it :P
19:51:29 <cyberpear> I think we still need to follow up on the "lockdown" ansible collection to gather a place to support the ansible community.general modules we depend upon
19:51:41 <xgeorgex> yes
19:51:52 <xgeorgex> I poked dfed yesterday to see if he heard back from the RH folks and he hasn't
19:52:11 <xgeorgex> There were basic modules that I assumed weren't community that are, replace is one that we use a lot
19:52:51 <cyberpear> I could have sworn `replace` is in core?
19:53:15 <cyberpear> I'll try to get some time before next meeting to send an e-mail about a "lockdown" collection
19:53:16 <xgeorgex> I feel like, at least on our LE side, our roles don't use a large number of modules. The ones we do use seem to have a pretty good track record, so I wonder if they could push some through to not Supported
19:53:25 <xgeorgex> Since it's not a massive number
19:53:55 <xgeorgex> I was hoping they would get us a list of what needs to happen for a module to become S supported
19:54:10 <cyberpear> it was just a handful: `pamd`, `ini_file`, `firewalld`, `selogin`
19:54:30 <cyberpear> RH already indirectly supports `selogin` via their `linux-system-roles/selinux` role
19:54:55 <cyberpear> (I'd copied it from there to ansible proper, with cleanups and tests for it.)
19:55:17 <xgeorgex> nice
19:56:31 <cyberpear> anything else for today?
19:56:45 <xgeorgex> I think that was it on my side
19:56:57 <xgeorgex> Anything else on your side?
19:57:04 <cyberpear> nothing else from me
19:57:08 <cyberpear> #topic Open Floor
19:57:15 <cyberpear> any lurkers with questions/comments?
19:57:26 <cyberpear> otherwise, I'll close the meeting in a minute or so
20:01:53 <cyberpear> thanks!
20:01:55 <cyberpear> #endmeeting