20:01:34 <cyberpear> #startmeeting Ansible Lockdown Working Group 20:01:34 <zodbot> Meeting started Thu Mar 5 20:01:34 2020 UTC. 20:01:34 <zodbot> This meeting is logged and archived in a public location. 20:01:34 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:01:34 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 20:01:34 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group' 20:01:39 <cyberpear> #chair xgeorgex 20:01:39 <zodbot> Current chairs: cyberpear xgeorgex 20:02:01 <cyberpear> #info DISA has released Oracle Linux 7 STIG V1R1 20:02:04 <xgeorgex> Just to get a roll call, is there anyone joined besides cyberpear? 20:02:24 <cyberpear> .hello2 20:02:25 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com> 20:02:55 * cyberpear hears crickets 20:03:06 <xgeorgex> Lol I think it's just the two of us 20:03:28 <cyberpear> so what's new? 20:03:43 <xgeorgex> I'm still working on getting my stuff fully setup to handle the pr's 20:03:49 <xgeorgex> That should be in the next day or so 20:04:33 <xgeorgex> Also we finished up writing the tasks for the RHEL8 CIS role, which I think we won't over on the last meeting 20:04:58 <xgeorgex> We worked on getting the scoring working, however there isn't a good oscap profile yet 20:05:20 <cyberpear> https://github.com/MindPointGroup/RHEL7-STIG/pull/292 and https://github.com/MindPointGroup/RHEL7-STIG/pull/288 should be good unless there are any concerns 20:05:53 <cyberpear> you mean you have complete remediations for all of CIS on RHEL 8? 20:06:25 <xgeorgex> Yeah and on our side the CIS is done, all of the tasks do what they are expected to do. However I think a big part of the testing factor is being able to give a "it starts at this score and after the role is run you get this score" 20:06:45 <xgeorgex> So I don't think there is any concerns other than our client base liking to see those scores 20:07:23 <xgeorgex> The ones that can be. Some are things like review users have proper permissions 20:07:39 <xgeorgex> And some partition stuffs that can't be done on the fly 20:07:41 <dfed[m]> hello, on my phone and need to drop soon: I will merge those two this afternoon @cyb 20:07:43 <cyberpear> yeah, those can be a pain 20:07:48 <dfed[m]> cyberpear: 20:07:56 <cyberpear> dfed[m]: thansk 20:08:57 <dfed[m]> xgeorgex: Let's review those against our downstream and make sure we incorporate them on rhel 7 stig 20:08:58 <cyberpear> would be cool if we could find someone at DISA to join us and help us stay ahead of the game 20:09:05 <xgeorgex> Ok 20:09:07 <dfed[m]> working on that 20:09:10 <dfed[m]> ;) 20:10:06 <cyberpear> There was this https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org/thread/SDPLU7F6MKSWKWQBZTDL7Z4E5BL5OTZH/ 20:10:14 <cyberpear> tl;dr: our role is the best one 20:10:56 <xgeorgex> Nice 20:11:01 <cyberpear> what else is up for discussion? 20:11:02 <dfed[m]> where's my surprised face? ;) 20:11:57 <dfed[m]> I gotta run. ping me if you need me 20:12:01 <cyberpear> I know we were going to move some roles over to the ansible-lockdown role? 20:12:08 <cyberpear> *Github org 20:12:23 <dfed[m]> still trying to get the stakeholders at MPG in a room to talk to them about that. 20:12:28 <cyberpear> but that's just a "nice to have" eventually 20:14:00 <xgeorgex> So we covered everything I had for this weeks meeting. Cyberpear, is there anything you wanted to cover 20:14:07 <xgeorgex> Other than the pr stuff? 20:14:38 <cyberpear> I think i'm all set for today. 20:15:19 <cyberpear> #info Several RHEL7-STIG PRs have been merged 20:15:41 <cyberpear> I'll close the meeting in 1 minute if there's nothing else 20:16:04 <cyberpear> actually, one thing 20:16:04 <xgeorgex> I think I'm good right now. I'll be hanging around in here until the end of the day. If anything else comes up let me know 20:16:10 <xgeorgex> sup 20:16:13 <cyberpear> python passlib is not available on RHEL 8 20:16:35 <cyberpear> we're currently using that for generating GRUB password hashes 20:16:46 <cyberpear> so we need a different/better way to do that 20:17:07 <cyberpear> (my guess is that they didn't want to get that library FIPS certified, hence dropping it) 20:17:08 <dfed[m]> we've talked about this on our side too. agreed. (still not here) 20:17:30 <cyberpear> #info need a replacement for python passlib for grub2 password hashes 20:18:39 <cyberpear> maybe just extract that bit from passlib and add it directly to ansible in a new grub2 option to the existing password hash filter 20:18:46 <cyberpear> assuming it's straightforward 20:19:20 <cyberpear> (since we carry our own password hash filter/plugin, ansible dropped the dep w/o noticing any breakage since we never added our filter back to ansible proper) 20:19:32 <cyberpear> anyway, that's food for thought 20:19:56 <cyberpear> I'll let you have the rest of your time back. 20:20:03 <xgeorgex> Yeah it's something we will need to figure out as well 20:20:23 <xgeorgex> Sounds good, like I said earlier if you think of anything else let me know 20:20:30 <cyberpear> thanks, xgeorgex 20:20:37 <cyberpear> #endmeeting