#ansible-lockdown log

19:10:16 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:10:16 <zodbot> Meeting started Thu Jun  4 19:10:16 2020 UTC.
19:10:16 <zodbot> This meeting is logged and archived in a public location.
19:10:16 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:10:16 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:10:16 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:10:21 <cyberpear> #topic Roll Call
19:10:27 <cyberpear> .hello2
19:10:28 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
19:10:30 <cyberpear> hello xgeorgex how are you?
19:10:34 <xgeorgex> Good how are you
19:10:37 <cyberpear> not bad
19:10:50 <cyberpear> anyone else here today?
19:11:41 <cyberpear> #topic PR for RHEL 8
19:12:38 <cyberpear> xgeorgex: any chance you could "approve" this after we discuss any other outstanding items?
19:12:40 <cyberpear> #url https://github.com/MindPointGroup/RHEL7-STIG/pull/287
19:13:21 <xgeorgex> I can see if I can, I'm not 100% sure what I can/can't do on the MPG GitHub page
19:13:35 <xgeorgex> If I run into anything I'll let you know and where I went with it
19:13:42 <xgeorgex> I'll probably just ping David about it
19:14:13 <cyberpear> I think you can just go here https://github.com/MindPointGroup/RHEL7-STIG/pull/287/files
19:14:44 <cyberpear> and click "review changes" then "approve" then "submit review"
19:15:05 <xgeorgex> I think so too
19:15:30 <cyberpear> thanks
19:15:39 <cyberpear> #topic Open Floor
19:15:46 <cyberpear> anything else to discuss today?
19:15:51 <xgeorgex> I don't think so
19:16:05 <xgeorgex> I'm about a quarter of the way through the Apache CIS RHEL role
19:16:07 <cyberpear> I haven't finished reviewing the RHEL 8 STIG, probably will try to do that soon, then send DISA some feedback
19:16:11 <cyberpear> nice
19:16:19 <xgeorgex> I have been working on that in between finishing up something for a client
19:16:35 <xgeorgex> nice
19:16:48 <xgeorgex> I've just wanted that client stuff out of my face so I have been head down on that lately
19:17:04 <cyberpear> makes sense... sometimes easier to focus on one thing at at time
19:17:12 <cyberpear> then you can see actual progress rather than small increments
19:17:16 <xgeorgex> yup
19:17:33 <xgeorgex> I thought I was done with it but they wanted to see some special group stuff in tower
19:17:48 <cyberpear> scope creep!
19:17:56 <cyberpear> pays the bills sometimes
19:18:08 <xgeorgex> So I get to deal with tasks moving hosts on smart inventory around to various groups through the tower api, dealing with the api stuff in ansible for the first
19:18:09 <xgeorgex> time
19:18:16 <xgeorgex> So it's been a bit slower than I was hoping
19:19:19 <xgeorgex> Anything new on your side?
19:19:43 <cyberpear> I think that's all on-topic from me for today.
19:20:01 <xgeorgex> Same here, it's been a looooong week
19:20:01 <cyberpear> RHEL 8 in fips mode fails with curl/GSSAPI auth
19:20:04 <xgeorgex> On my side
19:20:10 <xgeorgex> Hmmm
19:20:22 <xgeorgex> I'm still need to figure out the FIPS mode stuff in tomcat
19:20:27 <cyberpear> been going back/forth w/ RH for over a month, and now they're finally going to open a BZ
19:21:09 <cyberpear> and I'm having a fun time figuring out which things were broken in 8.1 and fixed in 8.2 versus botched by openscap/scap-security-guide in 8.1
19:21:28 <xgeorgex> I hate oscap
19:21:45 <cyberpear> yeah, it's okay for scanning. never use it for remediation
19:22:12 <cyberpear> the DISA scc tool is better for scanning with much more detailed "why it failed" output, but is much slower
19:22:27 <cyberpear> and the scc tool is not publicly downloadable
19:22:36 <xgeorgex> Yeah I feel on our side people put soooo much faith in their score that it makes people not see things right. Like you can get false positives like crazy and it looks like something is a problem that isn't
19:22:42 <xgeorgex> Since all they look at is the score
19:22:46 <cyberpear> so openscap is the solution many times
19:23:11 <cyberpear> yeah, that's why the RHEL7-STIG has the workaround_for_disa setting
19:23:20 <cyberpear> and workaround_for_ssg
19:23:23 <xgeorgex> Also I think in the same week I found there wasn't a profile for something we were building out and they changed the name of STIG profile
19:23:37 <cyberpear> yeah, they do that from time-to-time
19:24:14 <cyberpear> my sequence is usually `oscap info` then `oscap scan...<copy/paste from info>`
19:24:24 <cyberpear> though it's been so many months that I'v forgotten the whole command
19:24:30 <xgeorgex> hahaha
19:25:04 <xgeorgex> I haven't done anything manually with it in a while as well, then last few things I have been working on don't have a profile yet
19:25:13 <xgeorgex> So I haven't even added it to my normal role stuff yet
19:25:18 <xgeorgex> In a while either
19:26:03 <cyberpear> that's one beauty of automation... you don't have to remember the CLI flags to get it done
19:26:10 <xgeorgex> Lol nope
19:26:13 <cyberpear> though by the time you've automated it, you've got them memorized anyway
19:26:25 <cyberpear> until months pass and you forget :P
19:26:54 <cyberpear> I'll close us out in a minute if nothing else.
19:27:16 <xgeorgex> Have you messed with the apache httpd.conf file with ansible?
19:27:31 <xgeorgex> I originally wrote the STIG using lineinfile/replace/blockinfile
19:27:46 <xgeorgex> I was hoping there was a better way, kind of like the xml module
19:28:03 <xgeorgex> That config file somewhat uses ini formatting mixed with somewhat xml formatting
19:30:09 <xgeorgex> For example I need to add the Require all denied value for all of the <DIrectory> sections. The XML module is great for dealing with that and values for those sections are xml formatted, but the file itself isn't so the XML module won't work there
19:30:12 <cyberpear> haven't messed w/ apache/ansible in a STIG context much
19:30:59 <xgeorgex> Before I started down the path of crazy lineinfile/replace things I was hopin
19:31:10 <xgeorgex> Hoping you had a module you've used before
19:31:18 <cyberpear> I know there's some filters out there...
19:31:22 <cyberpear> https://docs.ansible.com/ansible/latest/modules/apache2_module_module.html
19:32:11 <xgeorgex> Yeah that apache2 module was good with getting Ubuntu modules setup
19:35:42 <cyberpear> could have sworn I bookmarked it
19:40:38 <cyberpear> sorry, I can't seem to find it... there was a filter plugin that would allow you to parse the httpd.conf into a data structure and back
19:40:44 <cyberpear> anything else today?
19:41:56 <xgeorgex> Nothing on my side
19:42:02 <cyberpear> #endmeeting