From ef3a10ca4f8d1cc6e14ce2722a57a1d24dbdccde Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 19 Jan 2026 14:27:47 +0700 Subject: [PATCH 1/3] feat: reduce attack surface --- ansible/tasks/clean-build-dependencies.yml | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index 567398f5f..af70d4d7a 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -19,3 +19,41 @@ - patch - python2 state: 'absent' + +# Security hardening: remove packages that increase attack surface +# - Compiler toolchain enables local exploit compilation +# - Dev packages provide headers for building exploits +# - salt-minion is a remote management agent (large attack surface) +# - sshpass stores credentials in plaintext +- name: Remove high-security-risk packages + ansible.builtin.apt: + autoremove: true + pkg: + # Compiler toolchain + - binutils + - binutils-aarch64-linux-gnu + - binutils-common + - gcc-14-base + # Dev/header packages + - libc6-dev + - libcrypt-dev + - libevent-dev + - libpcre3-dev + - libssl-dev + - libsystemd-dev + - linux-headers-aws + - linux-libc-dev + - pkg-config + - pkgconf + - pkgconf-bin + - rpcsvc-proto + - systemd-dev + - zlib1g-dev + # Remote management (if not used) + - salt-minion + - salt-common + # Credential handling + - sshpass + # Build tool leftovers + - ansible-core + state: 'absent' From 7a3b51683207c35d66d97fca85958aa18ae5fb3d Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 19 Jan 2026 14:58:07 +0700 Subject: [PATCH 2/3] fix: gcc-14-base is just shared files used by runtime libs, not compiler, and is required --- ansible/tasks/clean-build-dependencies.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index af70d4d7a..bc057c28f 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -29,11 +29,10 @@ ansible.builtin.apt: autoremove: true pkg: - # Compiler toolchain + # Compiler toolchain (gcc-14-base kept - libgcc-s1 runtime depends on it) - binutils - binutils-aarch64-linux-gnu - binutils-common - - gcc-14-base # Dev/header packages - libc6-dev - libcrypt-dev From 3cdcbe43a50738b2964f2f806e64139d8de1430c Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Fri, 30 Jan 2026 10:32:17 -0500 Subject: [PATCH 3/3] fix: bypass need for add-apt-repository since it's gone by this point --- scripts/90-cleanup-qemu.sh | 4 +++- scripts/90-cleanup.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh index e6a585001..3e055561b 100644 --- a/scripts/90-cleanup-qemu.sh +++ b/scripts/90-cleanup-qemu.sh @@ -38,7 +38,9 @@ elif [ -n "$(command -v apt-get)" ]; then ansible \ snapd - add-apt-repository --yes --remove ppa:ansible/ansible + # Remove ansible PPA directly (software-properties-common may not be installed) + rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \ + /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true source /etc/os-release diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 644e5f7f6..eaa338f14 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -36,7 +36,9 @@ elif [ -n "$(command -v apt-get)" ]; then libgcc-9-dev \ ansible - add-apt-repository --yes --remove ppa:ansible/ansible + # Remove ansible PPA directly (software-properties-common may not be installed) + rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \ + /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true source /etc/os-release