ansible_lockdown_working_group
LOGS
20:05:59 <cyberpear> #startmeeting Ansible Lockdown Working Group
20:05:59 <zodbot> Meeting started Thu Feb 20 20:05:59 2020 UTC.
20:05:59 <zodbot> This meeting is logged and archived in a public location.
20:05:59 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:05:59 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
20:05:59 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
20:06:14 <dfed[m]> llo!
20:06:24 <cyberpear> #topic introductions
20:06:37 <cyberpear> .hello2
20:06:38 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
20:06:47 <dfed[m]> cyberpear: I would like to introduce xgeorgex who has joined us at MPG to work on Lockdown.  He'll be here and present for meetings from this point on.
20:06:57 <cyberpear> hi xgeorgex, nice to meet you!
20:07:00 <dfed[m]> .hello 2
20:07:01 <zodbot> dfed[m]: Sorry, but you don't exist
20:07:03 <xgeorgex> hello
20:07:06 <dfed[m]> LOL
20:07:21 <cyberpear> yeah, it's https://admin.fedoraproject.org/accounts/
20:07:23 <dfed[m]> What should we catch up on first, cyberpear
20:07:42 <cyberpear> well, let's start with RHEL7-STIG on RHEL 8
20:07:58 <dfed[m]> yeah we're currently chasing down the draft for STIG on 8
20:08:16 <cyberpear> #topic RHEL7-STIG on RHEL 8 https://github.com/MindPointGroup/RHEL7-STIG/pull/287
20:08:46 <cyberpear> SSG has a draft role out
20:09:08 <cyberpear> the PR ^ makes the RHEL7-STIG run on RHEL 8, since not too much changed between them
20:09:13 <dfed[m]> If you build the compliance as code repo it has the draft in it and has the reference control names/numbers
20:09:34 <dfed[m]> oh well you're ahead of us ;) . I'll review and merge soon
20:09:58 <dfed[m]> We were going to do a rewrite of 8 where CIS/STIG were both done in the same role based on a variable and we were going to vector the controls between them
20:10:00 <cyberpear> any general thoughts on the concept of running the existing role on RHEL 8, or feedback specifically on the PR?
20:10:04 <dfed[m]> but a good start is that PR
20:10:45 <dfed[m]> none yet, let me review tonight and I can add thoughts.  Have you been able to see our release repos lately?  We have added some changes based on client stuff in the field.  I may want to port back to upstream if you review it
20:11:07 <cyberpear> known differences not addressed: `fips-mode-setup` is how to configure fips on 8, but really folks should just pass `fips=1` on the installer cmdline
20:11:17 <cyberpear> I haven't had a chance to look... been pretty busy
20:11:24 <cyberpear> I'm happy to review it, though
20:11:28 <dfed[m]> I can take an action item to create a PR and rectify with yours
20:11:41 <cyberpear> a while back, I'd started pulling your updates into individual PRs, but ran out of "hobby time"
20:12:06 <dfed[m]> yeah I know that feeling
20:12:14 <cyberpear> another 8 difference: `authselect` vs hand-editing pam files, though the latter obviously still works
20:12:16 <dfed[m]> we did some fixes to rhel 6 too, because amazingly someone bought it
20:12:22 <cyberpear> nice
20:12:42 <cyberpear> yeah EOL in November is what everyone says, but it's supported (at extra cost) until the EOL for RHEL 7.
20:12:50 <dfed[m]> yeah we're going to focus on the authselect stuff, the hand editing we changed to in 7 is a pain because PAM overwrites unless you link off another file
20:13:27 <dfed[m]> indeed. I am actually looking forweard to it not being a thing anymore.
20:13:31 <cyberpear> I want to get a PR into `authselect` upstream to handle pam_env as a session module, to help with proxy configurations
20:13:56 <dfed[m]> I'd like to get a design meeting scheduled with you, if you have time, about the stig/CIS intersecting roles rather than doing separate ones.
20:13:59 <cyberpear> (right now, I have a  role that just adds the session module myself)
20:14:12 <cyberpear> yeah, I think integration would be good; just has to be done cleanly
20:14:24 <dfed[m]> oh yeah that'd be awesome
20:14:25 <cyberpear> especially w/ the new "level 3" CIS
20:15:09 <dfed[m]> so let's set a couple action items: assign to me and george a review of the PRs upstream for rhel 7 stig.
20:15:40 <dfed[m]> and let's set another to schedule (via however) to talk in depth about the vectoring of controls between CIS and STIG
20:15:56 <dfed[m]> do you have a known time you can chat with us on that?
20:16:09 <cyberpear> I can be flexible.
20:16:25 <dfed[m]> ok lert me go over our travel and call schedules and ping you here about a time/date
20:16:34 <cyberpear> sounds good
20:16:36 <cyberpear> https://github.com/MindPointGroup/RHEL7-STIG/pull/288/files should be a no-brainer
20:16:47 <cyberpear> same https://github.com/MindPointGroup/RHEL7-STIG/pull/292/files
20:17:03 <dfed[m]> awesome. @xg
20:17:17 <dfed[m]> err xgeorgex can you note down those for you to review this week or next?
20:17:26 <dfed[m]> I'll add you in the github group
20:17:32 <cyberpear> https://github.com/MindPointGroup/RHEL7-STIG/pull/295 I can probably update for V2R6
20:17:46 <xgeorgex> Yup
20:17:47 <dfed[m]> @cyberpear are we still ok with consolidating those into the lockdown group on github rather than have them in MPG top level?
20:18:11 <cyberpear> #topic move repos to ansible-lockdown github org
20:18:14 <dfed[m]> if so I can clear the rest of that to start moving it over with the MPG brass
20:18:20 <cyberpear> I'd be very happy with such a move
20:18:54 <cyberpear> eventually, maybe we'll do an ansible collection, as much as I don't like many things about collections in general
20:18:57 <dfed[m]> ok so I just need to clear permission to do so formally, but there wasn't really any resistance to that.  However we will need to work with ansible proper because they point to MPG ones as sub modules elsewhere
20:19:00 <cyberpear> sure
20:19:15 <dfed[m]> when we move, we can reach out to them
20:19:18 <cyberpear> right.. I'm on the ansible/lockdown repo
20:19:30 <cyberpear> so can open and/or approve a PR there
20:19:42 <dfed[m]> and TBH I am not a fan of collections fully, but I agree: we should migrate there eventually
20:19:46 <cyberpear> https://github.com/ansible/ansible-lockdown
20:20:03 <dfed[m]> do you have the galaxy control to continue it pointing correctly ?
20:20:06 * cyberpear saves collections gripes for later
20:20:11 <dfed[m]> once we move it?
20:20:16 <cyberpear> #topic update galaxy publications
20:20:20 <dfed[m]> LOL noted. ;)
20:20:33 <cyberpear> I have never had any credentials for galaxy, or if I did, I didn't know it
20:20:52 <dfed[m]> ok I will figure out who here at MPG does that (likely defionscode) and get access myself
20:21:09 <dfed[m]> I'll take that as an action item
20:21:38 <cyberpear> #action dfed[m] to acquire Galaxy credentials
20:22:23 <dfed[m]> other than that, everyone have good holidays?  been a while since we chatted.  Anything I forgot from last time?
20:22:25 <cyberpear> #action cyberpear to review 3 PRs from folks not in meeting
20:22:54 <dfed[m]> oh right, you can loop me in until I george set up on those groups/repos
20:22:57 <cyberpear> there's some outstanding PRs on the CIS repo, but I don't use that one personally, though I've tried to add comments when they come in
20:23:43 <dfed[m]> yeah we may want to check against the CIS completions that xgeorgex did on rhel 7.  I'll work with him to get a PR of those in too
20:24:01 <cyberpear> sounds good
20:24:12 <cyberpear> #topic Open Floor
20:24:36 <cyberpear> my holidays were good, not too much excitement
20:24:53 <dfed[m]> That's good! boring is good for holidays
20:24:58 <cyberpear> got to visit family, relax a little bit
20:25:13 <dfed[m]> I didn't get to travel for the holidays but I did afterward in Jan for work.
20:25:29 <dfed[m]> wait what is this relax thing?
20:25:33 <xgeorgex> lol
20:25:41 <cyberpear> :P
20:25:41 <dfed[m]> I would like to subscribe to that newsletter
20:25:48 <cyberpear> yeah, right?
20:26:14 <dfed[m]> LOL ok.  so I'm gonna run to another meeting. Thanks again cyberpear and my apologies with how rough the last couple months have been.
20:26:27 <cyberpear> I've been periodically grooming the RHEL7-STIG issues
20:26:27 <dfed[m]> with xgeorgex here now I think it will be much smoother
20:26:37 <cyberpear> okay, shall we set a #nextmeeting?
20:26:49 <cyberpear> Same time next week?
20:26:51 <dfed[m]> ooh!  that's awesome!
20:26:54 <cyberpear> or discuss out-of-band?
20:26:55 <dfed[m]> yes please, how is weds fopr the next one?
20:27:01 <dfed[m]> and do we want 1 or two weeks out?
20:27:02 <cyberpear> what time is good?
20:27:07 <xgeorgex> That works for me ,
20:27:12 <cyberpear> let's do 1 for now since it's been a while
20:27:24 <dfed[m]> ok next week is good, and my thurs is open, I can make this recurringf on that.  thurs 3pm EST?
20:27:39 <cyberpear> does that work for you, xgeorgex
20:27:41 <cyberpear> ?
20:27:46 <xgeorgex> Yup that works for me
20:27:59 <dfed[m]> WOOT.
20:28:12 <cyberpear> #info Next meetings Weekly on Thursday at 3PM EST, 2000 UTC
20:28:19 <cyberpear> anything else today?
20:28:32 <dfed[m]> I'm good.
20:28:42 <cyberpear> thanks, all!
20:28:46 <xgeorgex> I'm good as well
20:28:50 <xgeorgex> Thanks!
20:28:54 <dfed[m]> thanks again! I'm gonna run
20:28:58 <cyberpear> #endmeeting