From b0ccdc5e7f8d774799d0fe043c3b2bd7907926a3 Mon Sep 17 00:00:00 2001 From: mickael e Date: Wed, 24 Jul 2019 15:12:08 -0400 Subject: [PATCH] Remove old kernels as part of common role This was initially done as part of the grsecurity role The removal must be done before installing holding tor, as if there are packages to be autoremoved, the tor hold talk will fail. --- .../ansible-base/roles/common/tasks/main.yml | 4 +-- .../common/tasks/remove_unused_packages.yml | 35 +++++++++++++++++++ .../roles/grsecurity/tasks/clean_packages.yml | 34 ------------------ 3 files changed, 37 insertions(+), 36 deletions(-) diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml index d04e1972fb..04d7cd881e 100644 --- a/install_files/ansible-base/roles/common/tasks/main.yml +++ b/install_files/ansible-base/roles/common/tasks/main.yml @@ -15,6 +15,8 @@ tags: - reboot +- include: remove_unused_packages.yml + - include: apt_upgrade.yml - include: sysctl.yml @@ -22,5 +24,3 @@ - include: disable_swap.yml - include: remove_kernel_modules.yml - -- include: remove_unused_packages.yml diff --git a/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml index c046e82bdc..e82647a46a 100644 --- a/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml +++ b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml @@ -8,6 +8,41 @@ - apt - hardening +# After installing securedrop-grsec, remove +# old generic kernels to avoid accidental +# boots into a less secure environment. +# We must used command due to the use of wildcards +- name: Remove generic kernel packages. + command: apt-get remove -y {{ item }} + with_items: + - linux-signed-generic + - linux-signed-generic-lts-utopic + - linux-signed-image-generic + - linux-signed-image-generic-lts-utopic + - linux-image-generic-lts-xenial + - 'linux-image-.*generic' + - 'linux-headers-.*' + register: apt_removed_kernels + changed_when: "'The following packages will be REMOVED' in apt_removed_kernels.stdout" + tags: + - apt + +- name: Get list of all installed kernels. + shell: dpkg-query -f '${Package} ${Status}\n' -W 'linux-image*' | awk '$NF == "installed"{print $1}' + register: apt_installed_kernels + changed_when: false + tags: + - apt + +- name: Validate that all installed kernels are grsecurity-hardened. + assert: + that: + - item is search('-grsec') + msg: "Not all non-grsec kernels have been removed, run dpkg-query -W 'linux-image*' for more details." + with_items: "{{ apt_installed_kernels.stdout_lines }}" + tags: + - apt + - name: Remove dependencies that are no longer required apt: autoremove: yes diff --git a/install_files/ansible-base/roles/grsecurity/tasks/clean_packages.yml b/install_files/ansible-base/roles/grsecurity/tasks/clean_packages.yml index 56bf83cb8c..66d464626f 100644 --- a/install_files/ansible-base/roles/grsecurity/tasks/clean_packages.yml +++ b/install_files/ansible-base/roles/grsecurity/tasks/clean_packages.yml @@ -1,38 +1,4 @@ --- -# After installing securedrop-grsec, remove -# old generic kernels to avoid accidental -# boots into a less secure environment. -- name: Remove generic kernel packages. - command: apt-get remove -y {{ item }} - with_items: - - linux-signed-generic - - linux-signed-generic-lts-utopic - - linux-signed-image-generic - - linux-signed-image-generic-lts-utopic - - linux-image-generic-lts-xenial - - 'linux-image-.*generic' - - 'linux-headers-.*' - register: apt_removed_kernels - changed_when: "'The following packages will be REMOVED' in apt_removed_kernels.stdout" - tags: - - apt - -- name: Get list of all installed kernels. - shell: dpkg-query -f '${Package} ${Status}\n' -W 'linux-image*' | awk '$NF == "installed"{print $1}' - register: apt_installed_kernels - changed_when: false - tags: - - apt - -- name: Validate that all installed kernels are grsecurity-hardened. - assert: - that: - - item is search('-grsec') - msg: "Not all non-grsec kernels have been removed, run dpkg-query -W 'linux-image*' for more details." - with_items: "{{ apt_installed_kernels.stdout_lines }}" - tags: - - apt - - name: Mark GRUB2 as manually installed so its not removed. command: apt-mark manual grub-pc register: grubpc_manual_mark