From 1517e28b4549941153fa521bc7e33470b48cde31 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 28 Feb 2019 12:24:05 -0500
Subject: [PATCH] Remove unused packages

Wireless-related packages are not required for SecureDrop App and Mon servers. `gcc` and dpkg-dev` however are required, as they are listed dependencies for `libgcc1`, a dependency for very large number of packages including `apt`. These packages are installed by default in Trusty, and will remain if an instance is upgraded to Xenial.
---
 .../ansible-base/roles/common/defaults/main.yml  |  5 +++++
 .../ansible-base/roles/common/tasks/main.yml     |  2 ++
 .../common/tasks/remove_unused_packages.yml      | 16 ++++++++++++++++
 .../staging/common/test_system_hardening.py      | 12 ++++++++++++
 4 files changed, 35 insertions(+)
 create mode 100644 install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml

diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
index 669fb7b05b..a9de7da68a 100644
--- a/install_files/ansible-base/roles/common/defaults/main.yml
+++ b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -44,3 +44,8 @@ sysctl_flags:
     value: "1"
   - name: "net.ipv6.conf.lo.disable_ipv6"
     value: "1"
+
+unused_packages:
+  - libiw30
+  - wireless-tools
+  - wpasupplicant
diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml
index d4bbd74b6e..d04e1972fb 100644
--- a/install_files/ansible-base/roles/common/tasks/main.yml
+++ b/install_files/ansible-base/roles/common/tasks/main.yml
@@ -22,3 +22,5 @@
 - include: disable_swap.yml
 
 - include: remove_kernel_modules.yml
+
+- include: remove_unused_packages.yml
diff --git a/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml
new file mode 100644
index 0000000000..c046e82bdc
--- /dev/null
+++ b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml
@@ -0,0 +1,16 @@
+---
+- name: Remove unused packages
+  apt:
+    name: "{{ item }}"
+    state: absent
+  with_items: "{{ unused_packages }}"
+  tags:
+    - apt
+    - hardening
+
+- name: Remove dependencies that are no longer required
+  apt:
+    autoremove: yes
+  tags:
+    - apt
+    - hardening
diff --git a/molecule/testinfra/staging/common/test_system_hardening.py b/molecule/testinfra/staging/common/test_system_hardening.py
index 7aa9769aea..23eb27b045 100644
--- a/molecule/testinfra/staging/common/test_system_hardening.py
+++ b/molecule/testinfra/staging/common/test_system_hardening.py
@@ -1,6 +1,8 @@
 import pytest
 import re
 
+testinfra_hosts = ["app", "app-staging", "mon", "mon-staging"]
+
 
 @pytest.mark.parametrize('sysctl_opt', [
   ('net.ipv4.conf.all.accept_redirects', 0),
@@ -133,3 +135,13 @@ def test_no_ecrypt_messages_in_logs(host, logfile):
         # string to make it into syslog as a side-effect of the testinfra
         # invocation, causing subsequent test runs to report failure.
         assert error_message not in f.content_string
+
+
+@pytest.mark.parametrize('package', [
+    'libiw30',
+    'wpasupplicant',
+    'wireless-tools',
+])
+def test_unused_packages_are_removed(host, package):
+    """ Check if unused package is present """
+    assert host.package(package).is_installed is False