19:00:31 #startmeeting Ansible Lockdown Working Group 19:00:31 Meeting started Thu May 21 19:00:31 2020 UTC. 19:00:31 This meeting is logged and archived in a public location. 19:00:31 The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:31 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:31 The meeting name has been set to 'ansible_lockdown_working_group' 19:01:06 #topic Roll Call 19:01:08 .hello2 19:01:09 cyberpear: cyberpear 'James Cassell' 19:01:11 who's here today? 19:01:37 Hey I'm here 19:01:44 I don't think davids making this week 19:01:45 Week 19:01:52 ok 19:02:23 I don't think we have that much to bring for the meeting this week 19:02:32 #topic RHEL 8 enablement for RHEL7 STIG 19:02:33 We are wrapping that other project with a client 19:02:43 https://github.com/MindPointGroup/RHEL7-STIG/pull/287 19:03:00 In normal LE news I finished writing the tomcat 9 tasks 19:03:06 cool! 19:03:11 I'm just going through seeing what tasks break the service 19:03:54 I've rebased the PR above. I think its ready. 19:03:56 Right now one of the tasks has you enable fipsmode and that appears to be blowing up the service since some of the other needed things for fipsmode aren't there 19:04:08 nice 19:04:42 system fips mode? 19:04:51 I feel like I should have tomcat for RHEL wrapped up by the end of this week early early next week 19:05:11 The listener org.apache.catalina.core.AprLifecycleListener fipsmode 19:05:18 I don't know much about tomcat 19:05:28 ah 19:05:33 I haven't looked at that knob 19:05:56 Apparently you can't just enable the fipsmode to be on 19:06:07 You need to get the APR libraries installed and configured 19:06:21 Also some JNI wrappers for the APR setup 19:06:30 that's unfortunate 19:07:19 Yeah I had a bunch of things in apache that were like tha t 19:07:32 Like to use that whatever you needed to install another package 19:07:44 So if I set the config in the config file the service would hate life 19:07:46 kind of like needing pgaudit for Postgres 19:08:01 yeah 19:08:39 For that one, I just circled back and I need to install gcc (which I think comes by default), install apr configure that, install the apr util, then install the JDK stuff 19:09:14 So depending on how many of those pitfalls I have will determine how long until we can release the tomcat9 stig 19:09:23 yeah 19:09:42 Then after that I'll start on CIS for apache 19:09:45 ah 19:09:56 well, hopefully you can re-use the STIG tasks 19:10:10 I'm going to re-write apache stig 19:10:30 So I'm going to do CIS from scratch 19:10:41 yeah, you mentioned the `xml` module might make it better 19:10:45 I didn't use the xml module and I think it will be wayyyyy cleaner using it 19:11:11 So I need to go back and convert all of the lineinfiles/replaces/blockinfiles with xml modules 19:11:39 do you think you'd have any time to review RHEL7-STIG on RHEL 8 changes? https://github.com/MindPointGroup/RHEL7-STIG/pull/287 19:12:30 #topic Open Floor 19:12:40 I'll have to confirm with David but I see when we can fit that in 19:13:06 I'll have to confirm with David but I can see when we can fit that in 19:13:23 thanks 19:13:41 I think that's all I really had for today... not much progress on my hobby project lockdown-linux since last time 19:14:31 Same here, finished up writing some stuff for a non lockdown project and pushed through all of the tasks for tomcat 9 19:14:36 stig 19:16:01 thanks for your time 19:16:08 I'll close the meeting in a minute if nothing else comes up 19:17:09 Sounds good 19:18:47 #endmeeting