Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ufw from new and existing installs #7315

Merged
merged 1 commit into from
Nov 7, 2024
Merged

Remove ufw from new and existing installs #7315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions install_files/ansible-base/roles/prepare-servers/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@
custom kernel that is not signed. Please disable SecureBoot on the
target servers and try again.

- name: Remove cloud-init
- name: Remove cloud-init and ufw
apt:
name: cloud-init
name:
- cloud-init
- ufw
state: absent
purge: yes
tags:
Expand Down
24 changes: 24 additions & 0 deletions molecule/testinfra/common/test_system_hardening.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import re
import time

import pytest
import testutils
Expand Down Expand Up @@ -173,6 +174,29 @@ def test_iptables_packages(host):
firewall config across reboots.
"""
assert host.package("iptables-persistent").is_installed
assert not host.package("ufw").is_installed


def test_package_removal(host):
"""Test the securedrop-remove-packages service"""
if host.system_info.codename != "focal":
# ufw is uninstallable in noble because of the conflict
# with iptables-persistent
pytest.skip("only applicable/testable on focal")

with host.sudo():
if not host.package("ufw").is_installed:
cmd = host.run("apt-get install ufw --yes")
assert cmd.rc == 0
assert host.file("/usr/sbin/ufw").exists
# Trigger the service manually
cmd = host.run("systemctl start securedrop-remove-packages")
assert cmd.rc == 0
# Wait for the unit to run
while host.service("securedrop-remove-packages").is_running:
time.sleep(1)

assert not host.package("ufw").is_installed


def test_snapd_absent(host):
Expand Down
9 changes: 9 additions & 0 deletions securedrop/debian/config/lib/systemd/system/securedrop-remove-packages.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[Unit]
Description=Remove ufw if installed
ConditionPathExists=/usr/sbin/ufw

[Service]
Type=oneshot
Environment="DEBIAN_FRONTEND=noninteractive"
ExecStart=/usr/bin/apt-get purge --yes ufw
User=root
10 changes: 10 additions & 0 deletions securedrop/debian/config/lib/systemd/system/securedrop-remove-packages.timer
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
[Unit]
Description=Remove ufw if installed

[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=5m

[Install]
WantedBy=timers.target
2 changes: 2 additions & 0 deletions securedrop/debian/rules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ override_dh_systemd_enable:
dh_systemd_enable --no-enable securedrop-submissions-today.service
dh_systemd_enable --no-enable securedrop-clean-tmp.service
dh_systemd_enable --no-enable securedrop-remove-pending-sources.service
dh_systemd_enable --no-enable securedrop-remove-packages.service
dh_systemd_enable

# This is basically the same as the enable stanza above, just whether the
Expand All @@ -86,4 +87,5 @@ override_dh_systemd_start:
dh_systemd_start --no-start securedrop-submissions-today.service
dh_systemd_start --no-start securedrop-clean-tmp.service
dh_systemd_start --no-start securedrop-remove-pending-sources.service
dh_systemd_start --no-start securedrop-remove-packages.service
dh_systemd_start
1 change: 1 addition & 0 deletions securedrop/debian/securedrop-config.install
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
debian/config/etc /
debian/config/lib /
debian/config/opt /