19:10:16 #startmeeting Ansible Lockdown Working Group 19:10:16 Meeting started Thu Jun 4 19:10:16 2020 UTC. 19:10:16 This meeting is logged and archived in a public location. 19:10:16 The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:10:16 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:10:16 The meeting name has been set to 'ansible_lockdown_working_group' 19:10:21 #topic Roll Call 19:10:27 .hello2 19:10:28 cyberpear: cyberpear 'James Cassell' 19:10:30 hello xgeorgex how are you? 19:10:34 Good how are you 19:10:37 not bad 19:10:50 anyone else here today? 19:11:41 #topic PR for RHEL 8 19:12:38 xgeorgex: any chance you could "approve" this after we discuss any other outstanding items? 19:12:40 #url https://github.com/MindPointGroup/RHEL7-STIG/pull/287 19:13:21 I can see if I can, I'm not 100% sure what I can/can't do on the MPG GitHub page 19:13:35 If I run into anything I'll let you know and where I went with it 19:13:42 I'll probably just ping David about it 19:14:13 I think you can just go here https://github.com/MindPointGroup/RHEL7-STIG/pull/287/files 19:14:44 and click "review changes" then "approve" then "submit review" 19:15:05 I think so too 19:15:30 thanks 19:15:39 #topic Open Floor 19:15:46 anything else to discuss today? 19:15:51 I don't think so 19:16:05 I'm about a quarter of the way through the Apache CIS RHEL role 19:16:07 I haven't finished reviewing the RHEL 8 STIG, probably will try to do that soon, then send DISA some feedback 19:16:11 nice 19:16:19 I have been working on that in between finishing up something for a client 19:16:35 nice 19:16:48 I've just wanted that client stuff out of my face so I have been head down on that lately 19:17:04 makes sense... sometimes easier to focus on one thing at at time 19:17:12 then you can see actual progress rather than small increments 19:17:16 yup 19:17:33 I thought I was done with it but they wanted to see some special group stuff in tower 19:17:48 scope creep! 19:17:56 pays the bills sometimes 19:18:08 So I get to deal with tasks moving hosts on smart inventory around to various groups through the tower api, dealing with the api stuff in ansible for the first 19:18:09 time 19:18:16 So it's been a bit slower than I was hoping 19:19:19 Anything new on your side? 19:19:43 I think that's all on-topic from me for today. 19:20:01 Same here, it's been a looooong week 19:20:01 RHEL 8 in fips mode fails with curl/GSSAPI auth 19:20:04 On my side 19:20:10 Hmmm 19:20:22 I'm still need to figure out the FIPS mode stuff in tomcat 19:20:27 been going back/forth w/ RH for over a month, and now they're finally going to open a BZ 19:21:09 and I'm having a fun time figuring out which things were broken in 8.1 and fixed in 8.2 versus botched by openscap/scap-security-guide in 8.1 19:21:28 I hate oscap 19:21:45 yeah, it's okay for scanning. never use it for remediation 19:22:12 the DISA scc tool is better for scanning with much more detailed "why it failed" output, but is much slower 19:22:27 and the scc tool is not publicly downloadable 19:22:36 Yeah I feel on our side people put soooo much faith in their score that it makes people not see things right. Like you can get false positives like crazy and it looks like something is a problem that isn't 19:22:42 Since all they look at is the score 19:22:46 so openscap is the solution many times 19:23:11 yeah, that's why the RHEL7-STIG has the workaround_for_disa setting 19:23:20 and workaround_for_ssg 19:23:23 Also I think in the same week I found there wasn't a profile for something we were building out and they changed the name of STIG profile 19:23:37 yeah, they do that from time-to-time 19:24:14 my sequence is usually `oscap info` then `oscap scan...` 19:24:24 though it's been so many months that I'v forgotten the whole command 19:24:30 hahaha 19:25:04 I haven't done anything manually with it in a while as well, then last few things I have been working on don't have a profile yet 19:25:13 So I haven't even added it to my normal role stuff yet 19:25:18 In a while either 19:26:03 that's one beauty of automation... you don't have to remember the CLI flags to get it done 19:26:10 Lol nope 19:26:13 though by the time you've automated it, you've got them memorized anyway 19:26:25 until months pass and you forget :P 19:26:54 I'll close us out in a minute if nothing else. 19:27:16 Have you messed with the apache httpd.conf file with ansible? 19:27:31 I originally wrote the STIG using lineinfile/replace/blockinfile 19:27:46 I was hoping there was a better way, kind of like the xml module 19:28:03 That config file somewhat uses ini formatting mixed with somewhat xml formatting 19:30:09 For example I need to add the Require all denied value for all of the sections. The XML module is great for dealing with that and values for those sections are xml formatted, but the file itself isn't so the XML module won't work there 19:30:12 haven't messed w/ apache/ansible in a STIG context much 19:30:59 Before I started down the path of crazy lineinfile/replace things I was hopin 19:31:10 Hoping you had a module you've used before 19:31:18 I know there's some filters out there... 19:31:22 https://docs.ansible.com/ansible/latest/modules/apache2_module_module.html 19:32:11 Yeah that apache2 module was good with getting Ubuntu modules setup 19:35:42 could have sworn I bookmarked it 19:40:38 sorry, I can't seem to find it... there was a filter plugin that would allow you to parse the httpd.conf into a data structure and back 19:40:44 anything else today? 19:41:56 Nothing on my side 19:42:02 #endmeeting