ansible_lockdown_working_group
LOGS
16:03:42 <shepdelacreme> #startmeeting Ansible Lockdown Working Group
16:03:42 <zodbot> Meeting started Thu May 30 16:03:42 2019 UTC.
16:03:42 <zodbot> This meeting is logged and archived in a public location.
16:03:42 <zodbot> The chair is shepdelacreme. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:03:42 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:03:42 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
16:03:54 <shepdelacreme> Too bad we are having it anyway :)
16:04:15 <shepdelacreme> #chair cyberpear
16:04:15 <zodbot> Current chairs: cyberpear shepdelacreme
16:04:42 <cyberpear> #topic hardening/lockdown integration -- multiple distros, mutliple roles?
16:05:30 * cyberpear high latency today
16:05:30 <shepdelacreme> Ok hardening/lockdown integration
16:05:54 <shepdelacreme> I think there are a few outstanding items for that work to get finished up
16:06:33 <cyberpear> Would it make sense to move RHEL7-STIG into a generic Linux-OS-SRG role that implements all STIGs?
16:06:57 <shepdelacreme> That is a potential option I suppose
16:08:28 <shepdelacreme> hardening supported the following: CentOS 7, RedHat 7, Fedora 27, SUSE 11/12 partially, Ubuntu 16
16:08:38 <cyberpear> - name: SRG-OS-XXXX {{ lookup('vars', 'srg_os' + os_name)['SRG-OS-XXXX'] }} rule description
16:09:39 <shepdelacreme> How difficult would it be to map back to STID ids though
16:10:18 <cyberpear> I'll try to write up an example task
16:10:26 <shepdelacreme> One of the nice things is you can see specific STIG ids being applied and that maps directly to how you are going to be audited
16:10:42 <shepdelacreme> i.e. you failed STIG-ID-xxxxxx and you can go forth and get it applied
16:11:03 <cyberpear> `{{ lookup('vars', 'srg_os' + os_name)['SRG-OS-XXXX'] }}` maps to RHEL-07-XXXX
16:11:24 <cyberpear> and the 'when' would be similar so rhel_07_xxxx still works
16:12:07 <shepdelacreme> ok
16:12:31 <shepdelacreme> This probably warrants a proposal issue on the RHEL7-STIG repo?
16:12:48 <shepdelacreme> Then various parties can review and comment
16:13:30 <cyberpear> I'll make an example 1-task example, then shop it around
16:13:52 <cyberpear> I've nothing further today
16:13:58 <shepdelacreme> What happens if there isn't STIG id to map to? i.e. Ubuntu 16 STIG doesn't exist...would it just generically use the RHEL stig ids but apply them in an Ubuntu acceptable way?
16:14:24 <cyberpear> it does now.  V1R2 is out recently
16:14:34 <cyberpear> but in that case, it's just be a null mapping
16:14:49 <shepdelacreme> ah ok cool
16:15:51 <shepdelacreme> ok well I'm interested to see what this would look like in practice
16:15:57 <shepdelacreme> thanks cyberpear
16:16:13 <shepdelacreme> I don't have anything else and there isn't any outstanding housekeeping items
16:17:33 <cyberpear> sounds good... any peanut gallery comments?
16:18:37 * cyberpear will close meeting in 60 sec
16:19:51 <cyberpear> #endmeeting