#ansible-lockdown log

19:04:29 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:04:29 <zodbot> Meeting started Thu Apr 16 19:04:29 2020 UTC.
19:04:29 <zodbot> This meeting is logged and archived in a public location.
19:04:29 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:04:29 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:04:29 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:04:37 <cyberpear> .hello2
19:04:38 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
19:04:47 <cyberpear> who's here today?
19:04:53 <cyberpear> #topic Roll Call
19:05:06 <xgeorgex> I'm here
19:05:20 <xgeorgex> I don't think David's going to make it today
19:06:45 <cyberpear> #topic non-lockdown ansible automation
19:07:09 <cyberpear> so biggest unannourced news seem to be that DISA now is publishing ansible automation content for STIGs
19:07:21 <cyberpear> #info DISA is now publishing ansible roles
19:07:33 <xgeorgex> Yeah that's interesting
19:07:44 <cyberpear> #url https://public.cyber.mil/stigs/supplemental-automation-content/
19:08:18 <cyberpear> for ansible, there's Cisco IOS XE RTR and DNM, Docker Enterprise 2.x, RHEL7, and vSphere 6.5
19:08:50 <cyberpear> probably the coolest part of the RHEL 7 one (the one I looked at) is that it outputs results xml you can import into the STIG Viewer
19:09:19 <xgeorgex> That is pretty cool. I haven't looked at the details of it yet
19:09:29 <cyberpear> kind of like my earlier proposed https://github.com/MindPointGroup/RHEL7-STIG/issues/232 "Support DISA STIG Viewer Results Import"
19:09:40 <cyberpear> they implemented it via a custom callback plugin
19:10:26 <cyberpear> at a glance, it appears to both support check_mode and to have a variable to turn on or off each rule
19:10:28 <xgeorgex> I am intrigued to see how well these run
19:10:37 <xgeorgex> Hmm
19:10:46 <cyberpear> I don't like that they used mixed-case variable names, though
19:10:57 <xgeorgex> Oh
19:11:07 <xgeorgex> I didn't even notice that, I don't like it either
19:11:50 <cyberpear> The other one that I wanted to point out is Red Hat's Supported ansible playbooks included in their scap-security-guide package.  The RHEL 7 STIG version is available at /usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml from the scap-security-guide package
19:12:26 <cyberpear> we already know it's not good content, but could be used as leverage to get certain bugs fixed that are triggered by said automation content
19:12:38 <xgeorgex> True
19:13:17 <xgeorgex> We will need to poke at that a bit to see what we can pull from it
19:14:24 <cyberpear> #topic Open Floor
19:14:58 <cyberpear> I didn't get to send any messages re an ansible-lockdown collection since last meeting.
19:15:26 <xgeorgex> I have been working through tomcat and another project so I've just had my head down running through things. I think the DISA roles are something I'll really poke at next. I have a feeling they will be oscap content and might not be that great
19:15:36 <xgeorgex> I didn't either
19:15:43 <xgeorgex> And I haven't seen anything else in either direction
19:15:48 <xgeorgex> About the collection stuff
19:16:33 <cyberpear> they look significantly better than SSG content, but are likely inspired by SSG content
19:16:48 <xgeorgex> yeah
19:17:57 <cyberpear> I've started asking web.archive.org to archive the various things I use from cyber.mil because they don't seem to keep old versions anymore, which makes it very hard to do a comparison
19:18:13 <xgeorgex> Oh yeah that's a good idea
19:18:15 <cyberpear> but it's ad-hoc and I'll likely miss things that I need but forgot to send to the archive
19:18:43 <cyberpear> I wish there were a "periodically trawl and archive all links on this page" button
19:19:18 <xgeorgex> I hear that, having to do it manually leaves it open to miss something
19:21:55 <cyberpear> I opened a couple of bugs on the PGS9-STIG repo
19:22:02 <cyberpear> "RFE's" if you will
19:22:10 <cyberpear> I'll probably get to them eventually
19:23:57 <cyberpear> apparently GitHub now has "pinned issues" -- I've just pinned a couple on the RHEL7-STIG repo
19:25:08 <cyberpear> #topic Ansible Galaxy updates
19:25:22 <cyberpear> What do we need to do to push a newer version of each of the roles to Galaxy?
19:25:23 <xgeorgex> Cool
19:25:39 <xgeorgex> I'll have to get with David (dfed) on that one
19:25:45 <cyberpear> we keep getting bug reports about long-fixed bugs, from folks using the ancient versions from galaxy
19:26:31 <cyberpear> (apparently pinned issues is limited to 3)
19:26:37 <dfed[m]> I can't fix that until I get the logins for the galaxy account.
19:26:58 <dfed[m]> which, along with ownership of the repos to move them, is something I am waiting on
19:27:54 <cyberpear> I'm only admin on the PGS9-STIG repo, which hasn't been published to Galaxy
19:28:57 <cyberpear> would it help to get a new release tagged, then we can ask someone w/ the creds to do a push for us?
19:29:39 <dfed[m]> if I can figure out who has the account, yes.  There's a bit of communication errors on our end on this
19:29:57 <cyberpear> likely defionscode or shepledacreme
19:30:57 <cyberpear> #topic Open Floor
19:31:01 <dfed[m]> likely, but until someone answers me, not sure.  I may swing past those two and go straight to jason mckerr to get the account reassigned to me on the RHEL end if I can
19:31:19 <cyberpear> always a "back door" somewhere :P
19:31:31 <cyberpear> anything else for today?
19:31:42 <xgeorgex> I didn't have anything else
19:32:06 <cyberpear> any lurkers today?
19:32:14 <cyberpear> will close the meeting in 2 minutes if nothing comes up
19:32:23 <xgeorgex> Sounds good
19:37:58 <cyberpear> #endmeeting