#ansible-lockdown log

19:00:31 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:00:31 <zodbot> Meeting started Thu May 21 19:00:31 2020 UTC.
19:00:31 <zodbot> This meeting is logged and archived in a public location.
19:00:31 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:31 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:31 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:01:06 <cyberpear> #topic Roll Call
19:01:08 <cyberpear> .hello2
19:01:09 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
19:01:11 <cyberpear> who's here today?
19:01:37 <xgeorgex> Hey I'm here
19:01:44 <xgeorgex> I don't think davids making this week
19:01:45 <xgeorgex> Week
19:01:52 <cyberpear> ok
19:02:23 <xgeorgex> I don't think we have that much to bring for the meeting this week
19:02:32 <cyberpear> #topic RHEL 8 enablement for RHEL7 STIG
19:02:33 <xgeorgex> We are wrapping that other project with a client
19:02:43 <cyberpear> https://github.com/MindPointGroup/RHEL7-STIG/pull/287
19:03:00 <xgeorgex> In normal LE news I finished writing the tomcat 9 tasks
19:03:06 <cyberpear> cool!
19:03:11 <xgeorgex> I'm just going through seeing what tasks break the service
19:03:54 <cyberpear> I've rebased the PR above. I think its ready.
19:03:56 <xgeorgex> Right now one of the tasks has you enable fipsmode and that appears to be blowing up the service since some of the other needed things for fipsmode aren't there
19:04:08 <xgeorgex> nice
19:04:42 <cyberpear> system fips mode?
19:04:51 <xgeorgex> I feel like I should have tomcat for RHEL wrapped up by the end of this week early early next week
19:05:11 <xgeorgex> The listener org.apache.catalina.core.AprLifecycleListener fipsmode
19:05:18 <xgeorgex> I don't know much about tomcat
19:05:28 <cyberpear> ah
19:05:33 <cyberpear> I haven't looked at that knob
19:05:56 <xgeorgex> Apparently you can't just enable the fipsmode to be on
19:06:07 <xgeorgex> You need to get the APR libraries installed and configured
19:06:21 <xgeorgex> Also some JNI wrappers for the APR setup
19:06:30 <cyberpear> that's unfortunate
19:07:19 <xgeorgex> Yeah I had a bunch of things in apache that were like tha t
19:07:32 <xgeorgex> Like to use that whatever you needed to install another package
19:07:44 <xgeorgex> So if I set the config in the config file the service would hate life
19:07:46 <cyberpear> kind of like needing pgaudit for Postgres
19:08:01 <xgeorgex> yeah
19:08:39 <xgeorgex> For that one, I just circled back and I need to install gcc (which I think comes by default), install apr configure that, install the apr util, then install the JDK stuff
19:09:14 <xgeorgex> So depending on how many of those pitfalls I have will determine how long until we can release the tomcat9 stig
19:09:23 <cyberpear> yeah
19:09:42 <xgeorgex> Then after that I'll start on CIS for apache
19:09:45 <cyberpear> ah
19:09:56 <cyberpear> well, hopefully you can re-use the STIG tasks
19:10:10 <xgeorgex> I'm going to re-write apache stig
19:10:30 <xgeorgex> So I'm going to do CIS from scratch
19:10:41 <cyberpear> yeah, you mentioned the `xml` module might make it better
19:10:45 <xgeorgex> I didn't use the xml module and I think it will be wayyyyy cleaner using it
19:11:11 <xgeorgex> So I need to go back and convert all of the lineinfiles/replaces/blockinfiles with xml modules
19:11:39 <cyberpear> do you think you'd have any time to review RHEL7-STIG on RHEL 8 changes? https://github.com/MindPointGroup/RHEL7-STIG/pull/287
19:12:30 <cyberpear> #topic Open Floor
19:12:40 <xgeorgex> I'll have to confirm with David but I see when we can fit that in
19:13:06 <xgeorgex> I'll have to confirm with David but I can see when we can fit that in
19:13:23 <cyberpear> thanks
19:13:41 <cyberpear> I think that's all I really had for today... not much progress on my hobby project lockdown-linux since last time
19:14:31 <xgeorgex> Same here, finished up writing some stuff for a non lockdown project and pushed through all of the tasks for tomcat 9
19:14:36 <xgeorgex> stig
19:16:01 <cyberpear> thanks for your time
19:16:08 <cyberpear> I'll close the meeting in a minute if nothing else comes up
19:17:09 <xgeorgex> Sounds good
19:18:47 <cyberpear> #endmeeting