Ansible Lockdown Meeting Agenda

[juliedavila]

Request Agenda Meetings Here

[juliedavila]

actually @gundalow is it acceptable for folks to open up individual issues for desired agenda topics? It seems most meetings have a single open issue with all agenda items for every meeting...

[gundalow]

Single issue with people adding topics to this, see #375

[juliedavila]

Nov 1. After odyssey4me joins the IRC meeting we will discuss the remaining topics around the merger efforts.

Lockown Topics

Generic

• policy for new STIGs
• Ansible version policy (only promise latest stable support?)
• how to best address manual/not-remediated tasks?
• Any requests to be considered active member?

Style Guidelines

pulled from ansible-lockdown/RHEL7-STIG#81

• move from 'yes/no' to real boolean values?
• line length limit (or none)
• remove severity tags from tasks in favor of having them at the include level
• name blocks
• no more registered_var | failed move to foo is failed
• remove audit playbooks
• remove audit and patch tags
• must pass DISA check content?

Galaxy

• ansible galaxy: should we make tagging/pushing to galaxy a part of the build process?
• ansible galaxy: should we make pulp builds during the build process to help air-gapped users?

Development

• devexp: would it be useful to have a docker/oscap based runner to tinker against a single rule at a time?
• Should we reintegrate oscap eval as part of the CI process to pass/fail testing based on results?

Merger

• How do we get roles in lockdown on boarded to the OpenStack/Zuul testing environment?
• What permissions/blessings do we need to add Rackspace cobranding to lockdown stuff?
• Any word on @mnaser being ok with having Ubuntu hardening be delegated to an Ubuntu STIG role?
• Status on sphinx books research?
• Open topic for merger-specific things

[juliedavila]

Minutes from Nov1 meeting: https://meetbot.fedoraproject.org/ansible-lockdown/2018-11-01/lockdown_working_group.2018-11-01-16.01.html

[shepdelacreme]

Topics for the agenda today (Nov 15).

Documentation

• Remove or keep/update "domains" that ansible-hardening has their tasks split into.
  • Decided to remove
• Remove the "contrib" stuff from docs. Ansible Hardening has non-STIG items in the role like disabling IPv6. We most likely won't support that in the role so remove this entire section from docs.
  • keep but split into "extras" area.
• Use V-##### or RHEL-07-##### as the primary identifier in the DOCS? Ansible Hardening used V- and we use RHEL-
  • Use RHEL- as primary id but include both in docs

[jamescassell]

[11:44] <@zodbot> Meeting ended Thu Feb 21 16:44:18 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot .
[11:44] <@zodbot> Minutes: https://meetbot.fedoraproject.org/ansible-lockdown/2019-02-21/ansible_lockdown_working_group.2019-02-21-16.11.html
[11:44] <@zodbot> Minutes (text): https://meetbot.fedoraproject.org/ansible-lockdown/2019-02-21/ansible_lockdown_working_group.2019-02-21-16.11.txt
[11:44] <@zodbot> Log: https://meetbot.fedoraproject.org/ansible-lockdown/2019-02-21/ansible_lockdown_working_group.2019-02-21-16.11.log.html

[jamescassell]

Discussed some ideas about mapping roles to various US Gov control frameworks.

12:29 <•zodbot> Meeting ended Thu Jul 11 16:29:47 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot .
12:29 Minutes: https://meetbot.fedoraproject.org/ansible-lockdown/2019-07-11/ansible_lockdown_working_group.2019-07-11-16.06.html
12:29 Minutes (text): https://meetbot.fedoraproject.org/ansible-lockdown/2019-07-11/ansible_lockdown_working_group.2019-07-11-16.06.txt
12:29 Log: https://meetbot.fedoraproject.org/ansible-lockdown/2019-07-11/ansible_lockdown_working_group.2019-07-11-16.06.log.html

[jamescassell]

• python-passlib is no longer installed by default with ansible-2.9, and not available at all on RHEL 8. remove passlib dep (can't run from RHEL 8 controller host) ansible-lockdown/RHEL7-STIG#286 (related: Prelim task - Install python-passlib for hash creation fails on RHEL ansible-lockdown/RHEL7-STIG#237 )
• RHEL 8 enable role for RHEL 8 ansible-lockdown/RHEL7-STIG#287
• misc fixes Misc fixes ansible-lockdown/RHEL7-STIG#288

[jamescassell]

Meeting ended Thu Mar 5 20:20:37 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot .
15:20 Minutes: https://meetbot.fedoraproject.org/ansible-lockdown/2020-03-05/ansible_lockdown_working_group.2020-03-05-20.01.html
15:20 Minutes (text): https://meetbot.fedoraproject.org/ansible-lockdown/2020-03-05/ansible_lockdown_working_group.2020-03-05-20.01.txt
15:20 Log: https://meetbot.fedoraproject.org/ansible-lockdown/2020-03-05/ansible_lockdown_working_group.2020-03-05-20.01.log.html

[jamescassell]

Minutes: https://meetbot.fedoraproject.org/ansible-lockdown/2020-04-09/ansible_lockdown_working_group.2020-04-09-19.34.html
16:01 Minutes (text): https://meetbot.fedoraproject.org/ansible-lockdown/2020-04-09/ansible_lockdown_working_group.2020-04-09-19.34.txt
16:01 Log: https://meetbot.fedoraproject.org/ansible-lockdown/2020-04-09/ansible_lockdown_working_group.2020-04-09-19.34.log.html

[jamescassell]

Minutes: https://meetbot.fedoraproject.org/ansible-lockdown/2020-04-16/ansible_lockdown_working_group.2020-04-16-19.04.html
15:37 Minutes (text): https://meetbot.fedoraproject.org/ansible-lockdown/2020-04-16/ansible_lockdown_working_group.2020-04-16-19.04.txt
15:37 Log: https://meetbot.fedoraproject.org/ansible-lockdown/2020-04-16/ansible_lockdown_working_group.2020-04-16-19.04.log.html

[Andersson007]

closed as no activity, thanks everyone!