19:03:34 <cyberpear> #startmeeting Ansible Lockdown Working Group 19:03:34 <zodbot> Meeting started Thu Apr 23 19:03:34 2020 UTC. 19:03:34 <zodbot> This meeting is logged and archived in a public location. 19:03:34 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:03:34 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:03:34 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group' 19:03:55 <cyberpear> .hello2 19:03:56 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com> 19:04:00 <cyberpear> #topic Roll Call 19:05:21 <cyberpear> looks like it's just me and xgeorgex today 19:05:36 <cyberpear> #topic multi-benchmark role 19:06:51 <cyberpear> so I pulled down the STIGs for Ubuntu 16, 18; RHEL 6,7; Oracle 6, 7; SLES 12 19:07:07 <xgeorgex> How did they work 19:07:19 <xgeorgex> You're talking about the diss ones right? 19:07:25 <xgeorgex> disa 19:07:31 <cyberpear> just literally the STIG, not any automation or benchmarks 19:07:34 <cyberpear> I don't have any way to get the CIS XML, though 19:07:47 <cyberpear> I wanted to start with one single rule that's common across all of them 19:07:56 <xgeorgex> ahh 19:08:06 <cyberpear> so I picked sshd_config Ciphers 19:08:19 <cyberpear> xgeorgex: do you know off hand if CIS has a Ciphers rule? 19:08:32 <cyberpear> and/or if you can import their XCCDF into STIG Viewer? 19:08:44 <xgeorgex> If I'm remembering right they do 19:08:47 <xgeorgex> I can check real quick 19:09:03 <xgeorgex> I worked on the rhel7 and 8 CIS 19:10:03 <cyberpear> cool 19:10:12 <cyberpear> yeah, looking for the PDF download now 19:10:53 <cyberpear> I see CIS also has a distro-independent linux benchmark 19:11:18 <xgeorgex> I haven't seen that one 19:13:23 <xgeorgex> I have the reel 7 and 8 benchmarks pdf if you want them 19:13:37 <cyberpear> I decided to also consider organizing it similar to the rules in SSG 19:14:07 <xgeorgex> RHEL not reel 19:14:08 <cyberpear> they have 66 "categories" once you expand the top-level 3 categories of rules 19:14:12 <xgeorgex> Autocorrect got me 19:14:27 <cyberpear> `find linux_os/guide/ -type d -name tests -exec sh -c 'dirname $(dirname "$1")' -- {} \; | sort -u | wc -l` 19:14:39 <cyberpear> will show you the SSG categories 19:16:02 <cyberpear> I see CIS RHEL 8 defers to CRYPTO_POLICIES 19:17:23 <cyberpear> looks like there's a rule for MACs but not Ciphers in CIS RHEL 7 19:17:43 <cyberpear> anyway, I don't have anything to show off yet, as I'd only really gotten started on it this afternoon 19:18:04 <xgeorgex> No worries there 19:18:20 <cyberpear> #topic Open Floor 19:18:28 <xgeorgex> We have a contract job with a client to get a bunch of windows stuff automated and that's what I've been working with 19:18:37 <cyberpear> sounds fun 19:18:53 <xgeorgex> Windows isn't bad, unless you are trying to use ansible stuff with it 19:19:01 <cyberpear> I haven't had a chance to play around w/ the Windows side of ansible 19:19:14 <xgeorgex> Well I should re-phrase that. Windows isn't bad for time and place 19:20:44 <xgeorgex> Other than that on our side David has been re-working our testing stuff 19:21:14 <cyberpear> that's good... 19:21:31 <cyberpear> I haven't been much involved w/ the CI/testing part of things on these roles 19:22:52 <cyberpear> I noticed a bug in the RHEL7/RHEL8 integration of the PGS9-STIG role in my PR that was merged... 19:23:15 <xgeorgex> What is the issue? 19:23:16 <cyberpear> I'd checked ansible_pkg_mgr against `RedHat` instead of against `yum` 19:23:37 <cyberpear> a simple typo, but it means that the rule that was supposed to be skipped only on RHEL 8 is also skipped on RHEL7 19:23:48 <cyberpear> I'll send a fixup when I get a chance 19:24:13 <xgeorgex> Nice catch 19:24:43 <cyberpear> I read thru the code for DISA's `stig_xml`callback 19:25:04 <cyberpear> basically, it marks as "failed" any items that come up as "changed", and "pass" for any that come up "ok" 19:25:25 <cyberpear> which means it's really meant to be run in check_mode 19:26:02 <cyberpear> I was thinking of copy/paste it into a stig_notapplicable_xml to do something similar, but mark results as "NA" where appropriate, to reduce manual inputs 19:27:47 <cyberpear> and DISA's incoming renumbering of the `V-` identifiers allows the `stig_xml` callback to work in a more straightforward way 19:28:28 <cyberpear> the renumbering makes the id's match in SV-<id>r<rev> match the V-<id> 19:28:33 <cyberpear> whereas today they're completely unrelated 19:29:47 <cyberpear> I also lol'ed at their suggestion to turn off libvirtd since it mucks w/ STIG settings for network 19:29:55 <xgeorgex> lol 19:30:04 <cyberpear> since that's what I tell everyone -- you don't need libvirtd on a VM! 19:30:27 <cyberpear> (It gets pulled into any graphical install by Gnome Boxes) 19:31:26 <cyberpear> anyway, that's all I really have for today 19:31:56 <xgeorgex> Same here 19:32:16 <xgeorgex> With this other contract thing I pulled away from tomcat and some of the other normal stuff 19:32:47 <cyberpear> #topic Open Floor 19:33:00 <cyberpear> any lurkers today? any questions, comments, concerns? 19:33:10 <cyberpear> oh, any progress on galaxy releases? 19:33:35 <xgeorgex> I'm not sure there, that's stuff that David was working on 19:33:40 <cyberpear> fair enough 19:34:47 <cyberpear> In other news, Fedora 32 is releasing on Tuesday. -- it finally makes my ThinkPad P1 work "out of the box", and improves the battery life immensely! (still no fingerprint reader support, though... thanks Synaptics) 19:35:37 <cyberpear> anyway, will close in 2 minutes or so if nothing else comes up 19:41:38 <cyberpear> #endmeeting