#ansible-lockdown log

19:00:16 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:00:16 <zodbot> Meeting started Thu May 28 19:00:16 2020 UTC.
19:00:16 <zodbot> This meeting is logged and archived in a public location.
19:00:16 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:16 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:16 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:00:34 <cyberpear> #topic Roll Call
19:00:40 <cyberpear> .hello2
19:00:42 <xgeorgex> hello
19:00:42 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
19:00:45 <cyberpear> who else is here today?
19:01:35 <cyberpear> hi xgeorgex, I guess it's just us today
19:01:43 <xgeorgex> yup
19:01:46 <cyberpear> #topic RHEL 8 Draft STIG
19:01:56 <cyberpear> #info yesterday, DISA released a Draft STIG for RHEL 8
19:02:24 <cyberpear> my estimate back in Nov had been "probably not before April"
19:02:47 <xgeorgex> Lol
19:02:59 <cyberpear> I live-blogged a review of it yesterday: https://meetbot.fedoraproject.org/ansible-lockdown/2020-05-27/ansible_lockdown_working_group.2020-05-27-22.13.html
19:03:08 <cyberpear> only covered the CAT 1 items, and part of CAT 2
19:03:10 <xgeorgex> sweet
19:03:29 <xgeorgex> Did you find any issues with it?
19:03:33 <cyberpear> with action items for DISA, if I get around to sending that feedback
19:03:37 <xgeorgex> Like duplicate controls and stuff?
19:03:53 <xgeorgex> The tomcat one has a lot of duplicate controls, like even the control name was the same
19:03:54 <cyberpear> yeah, some of that, and some "2 controls in one rule" stuff
19:04:19 <cyberpear> some regressions relative to RHEL 7, such as again requiring "esc" to be installed for Smart Cards even though it's not needed
19:04:40 <cyberpear> absence of NOPASSWD is mandatory, no exception for MFA
19:05:19 <cyberpear> biggest CAT 1 change is that disk encryption is required, with an out of "unless a documented reason not to"
19:06:10 <xgeorgex> I did the RHEL 8 CIS and it seemed OK and I was able to use a majority of it from RHEL 7
19:06:24 <cyberpear> overall, pretty similar to RHEL 7
19:06:30 <cyberpear> makes sense
19:06:39 <cyberpear> it's the same standard, just with a few tweaks for a newer OS
19:07:04 <xgeorgex> Nice. I have the role kind of in place to start writing
19:07:13 <cyberpear> (Did you know some customers pay to have RHEL 7.2 still supported today?)
19:07:22 <cyberpear> which one, RHEL8-STIG?
19:07:41 <xgeorgex> Yeah RHEL8-STIG
19:07:56 <cyberpear> you using benchparse to make the template?
19:08:02 <xgeorgex> I have my role from RHEL7 in a staging state to bring similar tasks over first
19:08:05 <xgeorgex> Then work on new ones
19:08:26 <xgeorgex> Yeah we have a parsing tool, I think it's bench parse
19:08:37 <xgeorgex> I only used it once since it had to be updated to support python3
19:08:53 <cyberpear> I thought I sent patches for python3 support...
19:09:16 <xgeorgex> It works now.....so maybe
19:09:21 <xgeorgex> I used for the tomcat STIG
19:09:30 <cyberpear> https://github.com/shepdelacreme/benchparse/pull/3
19:09:32 <xgeorgex> That was the first one I used it to build the template
19:10:20 <cyberpear> #topic Open Floor
19:10:40 <cyberpear> #undo
19:10:40 <zodbot> Removing item from minutes: <MeetBot.items.Topic object at 0x7f47775508d0>
19:11:04 <cyberpear> #info cyberpear started a review of RHEL8-STIG
19:11:15 <cyberpear> #url https://meetbot.fedoraproject.org/ansible-lockdown/2020-05-27/ansible_lockdown_working_group.2020-05-27-22.13.html
19:11:21 <cyberpear> #topic Open Floor
19:11:43 <cyberpear> anything else for today?
19:11:49 <cyberpear> did you sort out the Tomcat FIPS?
19:12:04 <xgeorgex> I think that's it, I have tomcat 9 in a .9 release
19:12:12 <xgeorgex> It's over to David to do the release process
19:12:26 <cyberpear> nince
19:12:41 <cyberpear> (no pun intended-typo) :P
19:12:43 <xgeorgex> I'm finishing up some work with a client on generic tower stuff, then starting on the Apache CIS
19:12:52 <xgeorgex> Lol
19:13:34 <cyberpear> I was happy to see the 8 draft had semi-sane MFA checks
19:13:53 <cyberpear> (at least so far as I've yet read...)
19:14:03 <xgeorgex> I need to snag it and start looking it over
19:14:16 <xgeorgex> I have a feeling that will be close up in the pipeline
19:14:24 <xgeorgex> I don't foresee the apache CIS taking very long
19:18:03 <cyberpear> have you had a good experience e-mailing the DISA STIG folks?
19:18:13 <xgeorgex> I have never tried it
19:19:08 <cyberpear> I've heard that they're very helpful, but I've not done it myself either... might have to bite the bullet w/ the RHEL 8 Draft STIG to make sure we don't have a broken standard/requirement...
19:19:45 <xgeorgex> Yeah I was documenting the CIS stuff I was running into, but I never did anything with it
19:20:12 <xgeorgex> The tomcat one is one I might ping them about. It's a release and one of the controls has 13 duplicates
19:20:28 <cyberpear> yeah, probably good to get them in the draft stage
19:21:53 <cyberpear> I don't think I have anything else for today.
19:22:13 <xgeorgex> I don't have anything else either
19:22:39 <cyberpear> sounds good. will close in a minute or so if nothing else comes up
19:22:52 <xgeorgex> Sounds good
19:23:25 <cyberpear> oh, I'd still like to get a review on https://github.com/MindPointGroup/RHEL7-STIG/pull/287
19:26:08 <xgeorgex> Yeah we can try and work that soon
19:27:36 <cyberpear> It's pretty straightforward. I've got folks using it in production and haven't heard any issues there, either.
19:27:38 <cyberpear> thanks.
19:30:30 <cyberpear> #endmeeting