19:04:29 <cyberpear> #startmeeting Ansible Lockdown Working Group 19:04:29 <zodbot> Meeting started Thu Apr 16 19:04:29 2020 UTC. 19:04:29 <zodbot> This meeting is logged and archived in a public location. 19:04:29 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:04:29 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:04:29 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group' 19:04:37 <cyberpear> .hello2 19:04:38 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com> 19:04:47 <cyberpear> who's here today? 19:04:53 <cyberpear> #topic Roll Call 19:05:06 <xgeorgex> I'm here 19:05:20 <xgeorgex> I don't think David's going to make it today 19:06:45 <cyberpear> #topic non-lockdown ansible automation 19:07:09 <cyberpear> so biggest unannourced news seem to be that DISA now is publishing ansible automation content for STIGs 19:07:21 <cyberpear> #info DISA is now publishing ansible roles 19:07:33 <xgeorgex> Yeah that's interesting 19:07:44 <cyberpear> #url https://public.cyber.mil/stigs/supplemental-automation-content/ 19:08:18 <cyberpear> for ansible, there's Cisco IOS XE RTR and DNM, Docker Enterprise 2.x, RHEL7, and vSphere 6.5 19:08:50 <cyberpear> probably the coolest part of the RHEL 7 one (the one I looked at) is that it outputs results xml you can import into the STIG Viewer 19:09:19 <xgeorgex> That is pretty cool. I haven't looked at the details of it yet 19:09:29 <cyberpear> kind of like my earlier proposed https://github.com/MindPointGroup/RHEL7-STIG/issues/232 "Support DISA STIG Viewer Results Import" 19:09:40 <cyberpear> they implemented it via a custom callback plugin 19:10:26 <cyberpear> at a glance, it appears to both support check_mode and to have a variable to turn on or off each rule 19:10:28 <xgeorgex> I am intrigued to see how well these run 19:10:37 <xgeorgex> Hmm 19:10:46 <cyberpear> I don't like that they used mixed-case variable names, though 19:10:57 <xgeorgex> Oh 19:11:07 <xgeorgex> I didn't even notice that, I don't like it either 19:11:50 <cyberpear> The other one that I wanted to point out is Red Hat's Supported ansible playbooks included in their scap-security-guide package. The RHEL 7 STIG version is available at /usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml from the scap-security-guide package 19:12:26 <cyberpear> we already know it's not good content, but could be used as leverage to get certain bugs fixed that are triggered by said automation content 19:12:38 <xgeorgex> True 19:13:17 <xgeorgex> We will need to poke at that a bit to see what we can pull from it 19:14:24 <cyberpear> #topic Open Floor 19:14:58 <cyberpear> I didn't get to send any messages re an ansible-lockdown collection since last meeting. 19:15:26 <xgeorgex> I have been working through tomcat and another project so I've just had my head down running through things. I think the DISA roles are something I'll really poke at next. I have a feeling they will be oscap content and might not be that great 19:15:36 <xgeorgex> I didn't either 19:15:43 <xgeorgex> And I haven't seen anything else in either direction 19:15:48 <xgeorgex> About the collection stuff 19:16:33 <cyberpear> they look significantly better than SSG content, but are likely inspired by SSG content 19:16:48 <xgeorgex> yeah 19:17:57 <cyberpear> I've started asking web.archive.org to archive the various things I use from cyber.mil because they don't seem to keep old versions anymore, which makes it very hard to do a comparison 19:18:13 <xgeorgex> Oh yeah that's a good idea 19:18:15 <cyberpear> but it's ad-hoc and I'll likely miss things that I need but forgot to send to the archive 19:18:43 <cyberpear> I wish there were a "periodically trawl and archive all links on this page" button 19:19:18 <xgeorgex> I hear that, having to do it manually leaves it open to miss something 19:21:55 <cyberpear> I opened a couple of bugs on the PGS9-STIG repo 19:22:02 <cyberpear> "RFE's" if you will 19:22:10 <cyberpear> I'll probably get to them eventually 19:23:57 <cyberpear> apparently GitHub now has "pinned issues" -- I've just pinned a couple on the RHEL7-STIG repo 19:25:08 <cyberpear> #topic Ansible Galaxy updates 19:25:22 <cyberpear> What do we need to do to push a newer version of each of the roles to Galaxy? 19:25:23 <xgeorgex> Cool 19:25:39 <xgeorgex> I'll have to get with David (dfed) on that one 19:25:45 <cyberpear> we keep getting bug reports about long-fixed bugs, from folks using the ancient versions from galaxy 19:26:31 <cyberpear> (apparently pinned issues is limited to 3) 19:26:37 <dfed[m]> I can't fix that until I get the logins for the galaxy account. 19:26:58 <dfed[m]> which, along with ownership of the repos to move them, is something I am waiting on 19:27:54 <cyberpear> I'm only admin on the PGS9-STIG repo, which hasn't been published to Galaxy 19:28:57 <cyberpear> would it help to get a new release tagged, then we can ask someone w/ the creds to do a push for us? 19:29:39 <dfed[m]> if I can figure out who has the account, yes. There's a bit of communication errors on our end on this 19:29:57 <cyberpear> likely defionscode or shepledacreme 19:30:57 <cyberpear> #topic Open Floor 19:31:01 <dfed[m]> likely, but until someone answers me, not sure. I may swing past those two and go straight to jason mckerr to get the account reassigned to me on the RHEL end if I can 19:31:19 <cyberpear> always a "back door" somewhere :P 19:31:31 <cyberpear> anything else for today? 19:31:42 <xgeorgex> I didn't have anything else 19:32:06 <cyberpear> any lurkers today? 19:32:14 <cyberpear> will close the meeting in 2 minutes if nothing comes up 19:32:23 <xgeorgex> Sounds good 19:37:58 <cyberpear> #endmeeting