#ansible-lockdown log

19:03:34 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:03:34 <zodbot> Meeting started Thu Apr 23 19:03:34 2020 UTC.
19:03:34 <zodbot> This meeting is logged and archived in a public location.
19:03:34 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:03:34 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:03:34 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:03:55 <cyberpear> .hello2
19:03:56 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
19:04:00 <cyberpear> #topic Roll Call
19:05:21 <cyberpear> looks like it's just me and xgeorgex today
19:05:36 <cyberpear> #topic multi-benchmark role
19:06:51 <cyberpear> so I pulled down the STIGs for Ubuntu 16, 18; RHEL 6,7; Oracle 6, 7; SLES 12
19:07:07 <xgeorgex> How did they work
19:07:19 <xgeorgex> You're talking about the diss ones right?
19:07:25 <xgeorgex> disa
19:07:31 <cyberpear> just literally the STIG, not any automation or benchmarks
19:07:34 <cyberpear> I don't have any way to get the CIS XML, though
19:07:47 <cyberpear> I wanted to start with one single rule that's common across all of them
19:07:56 <xgeorgex> ahh
19:08:06 <cyberpear> so I picked sshd_config Ciphers
19:08:19 <cyberpear> xgeorgex: do you know off hand if CIS has a Ciphers rule?
19:08:32 <cyberpear> and/or if you can import their XCCDF into STIG Viewer?
19:08:44 <xgeorgex> If I'm remembering right they do
19:08:47 <xgeorgex> I can check real quick
19:09:03 <xgeorgex> I worked on the rhel7 and 8 CIS
19:10:03 <cyberpear> cool
19:10:12 <cyberpear> yeah, looking for the PDF download now
19:10:53 <cyberpear> I see CIS also has a distro-independent linux benchmark
19:11:18 <xgeorgex> I haven't seen that one
19:13:23 <xgeorgex> I have the reel 7 and 8 benchmarks pdf if you want them
19:13:37 <cyberpear> I decided to also consider organizing it similar to the rules in SSG
19:14:07 <xgeorgex> RHEL not reel
19:14:08 <cyberpear> they have 66 "categories" once you expand the top-level 3 categories of rules
19:14:12 <xgeorgex> Autocorrect got me
19:14:27 <cyberpear> `find linux_os/guide/ -type d -name tests -exec sh -c 'dirname $(dirname "$1")' -- {} \; | sort -u | wc -l`
19:14:39 <cyberpear> will show you the SSG categories
19:16:02 <cyberpear> I see CIS RHEL 8 defers to CRYPTO_POLICIES
19:17:23 <cyberpear> looks like there's a rule for MACs but not Ciphers in CIS RHEL 7
19:17:43 <cyberpear> anyway, I don't have anything to show off yet, as I'd only really gotten started on it this afternoon
19:18:04 <xgeorgex> No worries there
19:18:20 <cyberpear> #topic Open Floor
19:18:28 <xgeorgex> We have a contract job with a client to get a bunch of windows stuff automated and that's what I've been working with
19:18:37 <cyberpear> sounds fun
19:18:53 <xgeorgex> Windows isn't bad, unless you are trying to use ansible stuff with it
19:19:01 <cyberpear> I haven't had a chance to play around w/ the Windows side of ansible
19:19:14 <xgeorgex> Well I should re-phrase that. Windows isn't bad for time and place
19:20:44 <xgeorgex> Other than that on our side David has been re-working our testing stuff
19:21:14 <cyberpear> that's good...
19:21:31 <cyberpear> I haven't been much involved w/ the CI/testing part of things on these roles
19:22:52 <cyberpear> I noticed a bug in the RHEL7/RHEL8 integration of the PGS9-STIG role in my PR that was merged...
19:23:15 <xgeorgex> What is the issue?
19:23:16 <cyberpear> I'd checked ansible_pkg_mgr against `RedHat` instead of against `yum`
19:23:37 <cyberpear> a simple typo, but it means that the rule that was supposed to be skipped only on RHEL 8 is also skipped on RHEL7
19:23:48 <cyberpear> I'll send a fixup when I get a chance
19:24:13 <xgeorgex> Nice catch
19:24:43 <cyberpear> I read thru the code for DISA's `stig_xml`callback
19:25:04 <cyberpear> basically, it marks as "failed" any items that come up as "changed", and "pass" for any that come up "ok"
19:25:25 <cyberpear> which means it's really meant to be run in check_mode
19:26:02 <cyberpear> I was thinking of copy/paste it into a stig_notapplicable_xml to do something similar, but mark results as "NA" where appropriate, to reduce manual inputs
19:27:47 <cyberpear> and DISA's incoming renumbering of the `V-` identifiers allows the `stig_xml` callback to work in a more straightforward way
19:28:28 <cyberpear> the renumbering makes the id's match in SV-<id>r<rev> match the V-<id>
19:28:33 <cyberpear> whereas today they're completely unrelated
19:29:47 <cyberpear> I also lol'ed at their suggestion to turn off libvirtd since it mucks w/ STIG settings for network
19:29:55 <xgeorgex> lol
19:30:04 <cyberpear> since that's what I tell everyone  -- you don't need libvirtd on a VM!
19:30:27 <cyberpear> (It gets pulled into any graphical install by Gnome Boxes)
19:31:26 <cyberpear> anyway, that's all I really have for today
19:31:56 <xgeorgex> Same here
19:32:16 <xgeorgex> With this other contract thing I pulled away from tomcat and some of the other normal stuff
19:32:47 <cyberpear> #topic Open Floor
19:33:00 <cyberpear> any lurkers today? any questions, comments, concerns?
19:33:10 <cyberpear> oh, any progress on galaxy releases?
19:33:35 <xgeorgex> I'm not sure there, that's stuff that David was working on
19:33:40 <cyberpear> fair enough
19:34:47 <cyberpear> In other news, Fedora 32 is releasing on Tuesday. -- it finally makes my ThinkPad P1 work "out of the box", and improves the battery life immensely! (still no fingerprint reader support, though... thanks Synaptics)
19:35:37 <cyberpear> anyway, will close in 2 minutes or so if nothing else comes up
19:41:38 <cyberpear> #endmeeting