#ansible-lockdown log

16:00:04 <shepdelacreme> #startmeeting Ansible Lockdown WG
16:00:04 <zodbot> Meeting started Thu Apr  4 16:00:04 2019 UTC.
16:00:04 <zodbot> This meeting is logged and archived in a public location.
16:00:04 <zodbot> The chair is shepdelacreme. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:04 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:04 <zodbot> The meeting name has been set to 'ansible_lockdown_wg'
16:00:11 <shepdelacreme> #chair cyberpear
16:00:11 <zodbot> Current chairs: cyberpear shepdelacreme
16:01:16 <cyberpear> for once, no open PRs
16:01:30 <shepdelacreme> I don't think there is much to discuss today. No open PRs on the RHEL7-STIG repo
16:01:32 <shepdelacreme> haha
16:01:50 <shepdelacreme> RHEL7-CIS has some open but they are awaiting some updates
16:01:51 <cyberpear> but only because I didn't take a minute to implement #233
16:03:05 <shepdelacreme> I'm still struggling with how to get the CIS benchmarks up to par with the STIG one
16:03:28 <dericcrago> what do you mean by that?
16:03:43 <shepdelacreme> docs, tests, etc
16:03:58 <cyberpear> I like the idea behind what SSG is doing to auto-generate ansible roles from a common set of knowledge
16:04:04 <shepdelacreme> I think functionally it is pretty good...needs some updates but it generally works
16:04:05 <cyberpear> but they are not ansible experts
16:04:39 <shepdelacreme> yeah the SSG roles are ok...they aren't great as far as being configurable though
16:05:26 <cyberpear> I haven't been brave enough to actually run them, based on bad experiences w/ their bash remediations
16:05:40 <shepdelacreme> In order to get the CIS benchmark docs built like the STIG role docs I would either need to parse PDFs of the CIS benchmarks or figure out a way to pull the CIS xccdfs
16:06:17 <cyberpear> I think you were saying those are also not freely available?
16:06:20 <shepdelacreme> also testing/verification is difficult because we don't have access to the xccdf stuff
16:07:02 <shepdelacreme> yeah you have to pay for all the xccdf content and then you still don't have a license to redistribute them so putting them in a public repo is a non-starter
16:07:32 <shepdelacreme> I'm sure as heck not interested in figuring out how to parse PDFs for that content though lol
16:08:24 <shepdelacreme> oh and the base license cost for the CIS stuff would be $10k
16:10:28 <cyberpear> would be nice if they had something free or reduced for OSS projects
16:12:37 <shepdelacreme> yeah
16:13:50 <shepdelacreme> alright well if no one has anything else this week we can end early?
16:14:22 <cyberpear> that's all I've got for now.  I'll send a PR later today.
16:14:27 <cyberpear> thanks for your time!
16:14:37 <shepdelacreme> thanks!
16:14:41 <shepdelacreme> #endmeeting