mkdir -p './smartmontools/smartd_warning.d'
mkdir -p './systemd/user'
mkdir -p './udev/hwdb.d'
-mkdir -p './update-manager/release-upgrades.d'
mkdir -p './update-notifier'
mkdir -p './usb_modeswitch.d'
maybe chmod 0755 '.'
maybe chmod 0644 'apt/apt.conf.d/05etckeeper'
maybe chmod 0644 'apt/apt.conf.d/10periodic'
maybe chmod 0644 'apt/apt.conf.d/15update-stamp'
+maybe chmod 0644 'apt/apt.conf.d/20apt-esm-hook.conf'
maybe chmod 0644 'apt/apt.conf.d/20archive'
maybe chmod 0644 'apt/apt.conf.d/20auto-upgrades'
maybe chmod 0644 'apt/apt.conf.d/20dbus'
maybe chmod 0755 'cron.daily/passwd'
maybe chmod 0755 'cron.daily/samba'
maybe chmod 0755 'cron.daily/spamassassin'
-maybe chmod 0755 'cron.daily/ubuntu-advantage-tools'
maybe chmod 0755 'cron.daily/update-notifier-common'
maybe chmod 0755 'cron.daily/upstart'
maybe chmod 0755 'cron.hourly'
maybe chmod 0644 'logrotate.d/speech-dispatcher'
maybe chmod 0644 'logrotate.d/tine20'
maybe chmod 0644 'logrotate.d/tor'
+maybe chmod 0644 'logrotate.d/ubuntu-advantage-tools'
maybe chmod 0644 'logrotate.d/ufw'
maybe chmod 0644 'logrotate.d/unattended-upgrades'
maybe chmod 0644 'logrotate.d/unifi'
maybe chmod 0755 'tor'
maybe chmod 0644 'tor/torrc'
maybe chmod 0644 'ts.conf'
+maybe chmod 0755 'ubuntu-advantage'
+maybe chmod 0644 'ubuntu-advantage/help_data.yaml'
+maybe chmod 0644 'ubuntu-advantage/uaclient.conf'
maybe chmod 0644 'ucf.conf'
maybe chmod 0755 'udev'
maybe chmod 0755 'udev/hwdb.d'
maybe chmod 0644 'update-manager/meta-release'
maybe chmod 0644 'update-manager/release-upgrades'
maybe chmod 0755 'update-manager/release-upgrades.d'
+maybe chmod 0644 'update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg'
maybe chmod 0755 'update-motd.d'
maybe chmod 0755 'update-motd.d/00-header'
maybe chmod 0755 'update-motd.d/10-help-text'
maybe chmod 0755 'update-motd.d/50-motd-news'
-maybe chmod 0755 'update-motd.d/80-esm'
-maybe chmod 0755 'update-motd.d/80-livepatch'
+maybe chmod 0755 'update-motd.d/88-esm-announce'
maybe chmod 0755 'update-motd.d/90-updates-available'
+maybe chmod 0755 'update-motd.d/91-contract-ua-esm-status'
maybe chmod 0755 'update-motd.d/91-release-upgrade'
maybe chmod 0755 'update-motd.d/92-unattended-upgrades'
maybe chmod 0755 'update-motd.d/95-hwe-eol'
--- /dev/null
+APT::Update::Post-Invoke-Stats {
+ "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-stats || true";
+};
+
+APT::Install::Post-Invoke-Success {
+ "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-success || true";
+};
+
+APT::Install::Pre-Invoke {
+ "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true";
+}
+
+AptCli::Hooks::Upgrade {
+ "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-json-hook ] || /usr/lib/ubuntu-advantage/apt-esm-json-hook || true";
+}
+++ /dev/null
-#!/bin/sh -e
-
-UA="/usr/bin/ubuntu-advantage"
-CACHE_DIR="/var/cache/ubuntu-advantage-tools"
-CACHE_FILE="$CACHE_DIR/ubuntu-advantage-status.cache"
-
-[ -x "$UA" ] || exit 0
-
-[ -d "$CACHE_DIR" ] || mkdir -p "$CACHE_DIR"
-
-"$UA" status > "$CACHE_FILE"
-
--- /dev/null
+/var/log/ubuntu-advantage.log {
+ rotate 6
+ monthly
+ compress
+ delaycompress
+ missingok
+ notifempty
+}
--- /dev/null
+/lib/systemd/system/ua-reboot-cmds.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/ua-messaging.timer
\ No newline at end of file
--- /dev/null
+cc-eal:
+ help: |
+ Common Criteria is an Information Technology Security Evaluation standard
+ (ISO/IEC IS 15408) for computer security certification. Ubuntu 16.04 has
+ been evaluated to assurance level EAL2 through CSEC. The evaluation was
+ performed on Intel x86_64, IBM Power8 and IBM Z hardware platforms.
+
+cis:
+ help: |
+ CIS benchmarks locks down your systems by removing non-secure programs,
+ disabling unused filesystems, disabling unnecessary ports or services to
+ prevent cyber attacks and malware, auditing privileged operations and
+ restricting administrative privileges. The cis command installs
+ tooling needed to automate audit and hardening according to a desired
+ CIS profile - level 1 or level 2 for server or workstation on
+ Ubuntu 18.04 LTS or 16.04 LTS. The audit tooling uses OpenSCAP libraries
+ to do a scan of the system. The tool provides options to generate a
+ report in XML or a html format. The report shows compliance for all the
+ rules against the profile selected during the scan. You can find out
+ more at https://ubuntu.com/security/certifications#cis
+
+esm-apps:
+ help: |
+ UA Apps: Extended Security Maintenance is enabled by default on entitled
+ workloads. It provides access to a private PPA which includes available
+ high and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main
+ and Ubuntu Universe repositories from the Ubuntu LTS release date until
+ its end of life. You can find out more about the esm service at
+ https://ubuntu.com/security/esm
+
+esm-infra:
+ help: |
+ esm-infra provides access to a private ppa which includes available high
+ and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main
+ repository between the end of the standard Ubuntu LTS security
+ maintenance and its end of life. It is enabled by default with
+ Extended Security Maintenance (ESM) for UA Apps and UA Infra.
+ You can find our more about the esm service at
+ https://ubuntu.com/security/esm
+
+fips:
+ help: |
+ FIPS 140-2 is a set of publicly announced cryptographic standards
+ developed by the National Institute of Standards and Technology
+ applicable for FedRAMP, HIPAA, PCI and ISO compliance use cases.
+ Note that ‘fips’ does not provide security patching. For fips certified
+ modules with security patches please refer to fips-updates. The modules
+ are certified on Intel x86_64 and IBM Z hardware platforms for Ubuntu
+ 18.04 and Intel x86_64, IBM Power8 and IBM Z hardware platforms for
+ Ubuntu 16.04. Below is the list of fips certified components per an
+ Ubuntu Version. You can find out more at
+ https://ubuntu.com/security/certifications#fips
+
+fips-updates:
+ help: |
+ fips-updates installs fips modules including all security patches
+ for those modules that have been provided since their certification date.
+ You can find out more at https://ubuntu.com/security/certifications#fips.
+
+livepatch:
+ help: |
+ Livepatch provides selected high and critical kernel CVE fixes and other
+ non-security bug fixes as kernel livepatches. Livepatches are applied
+ without rebooting a machine which drastically limits the need for
+ unscheduled system reboots. Due to the nature of fips compliance,
+ livepatches cannot be enabled on fips-enabled systems. You can find out
+ more about Ubuntu Kernel Livepatch service at
+ https://ubuntu.com/security/livepatch
--- /dev/null
+# Ubuntu-Advantage client config file.
+contract_url: 'https://contracts.canonical.com'
+security_url: 'https://ubuntu.com/security'
+data_dir: /var/lib/ubuntu-advantage
+log_level: debug
+log_file: /var/log/ubuntu-advantage.log
--- /dev/null
+[Sources]
+Pockets=security,updates,proposed,backports,infra-security,infra-updates,apps-security,apps-updates
+[Distro]
+PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py
+++ /dev/null
-#!/bin/sh
-
-SERIES=$(lsb_release -cs)
-DESCRIPTION=$(lsb_release -ds)
-
-[ "$SERIES" = "precise" ] || exit 0
-
-[ -x /usr/bin/ubuntu-advantage ] || exit 0
-
-if ubuntu-advantage is-esm-enabled; then
- cat <<EOF
-This ${DESCRIPTION} system is configured to receive extended security updates
-from Canonical:
- * https://www.ubuntu.com/esm
-EOF
-else
- cat <<EOF
-This ${DESCRIPTION} system is past its End of Life, and is no longer
-receiving security updates. To protect the integrity of this system, it’s
-critical that you enable Extended Security Maintenance updates:
- * https://www.ubuntu.com/esm
-EOF
-fi
-echo
+++ /dev/null
-#!/bin/sh
-
-UA=${UA:-"/usr/bin/ubuntu-advantage"}
-UA_STATUS_CACHE=${UA_STATUS_CACHE:-"/var/cache/ubuntu-advantage-tools/ubuntu-advantage-status.cache"}
-
-[ -x "$UA" ] || exit 0
-
-print_patch_state() {
- local patch_state="$1"
-
- case "$patch_state" in
- unapplied)
- echo "Patches are available, will be deployed shortly."
- ;;
- applied)
- echo "All available patches applied."
- ;;
- applied-with-bug|apply-failed)
- echo "Live patching failed, please run \`ubuntu-bug linux\` to report a bug."
- ;;
- nothing-to-apply)
- echo "All available patches applied."
- ;;
- applying)
- echo "Live patching currently in progress."
- ;;
- *)
- echo "Unknown patch status. Please see /var/log/syslog for more information."
- echo " Status: \"$patch_state\""
- ;;
- esac
-}
-
-print_status() {
- local check_state="$1"
- local patch_state="$2"
-
- echo -n " - "
- case "$check_state" in
- needs-check)
- echo "Regular server check is pending."
- ;;
- check-failed)
- echo "Livepatch server check failed."
- echo " Please see /var/log/syslog for more information."
- ;;
- checked)
- print_patch_state "$patch_state"
- ;;
- *)
- echo "Unknown check status. Please see /var/log/syslog for more information."
- echo " Status: \"$check_state\""
- ;;
- esac
-}
-
-
-service_name="livepatch"
-# if there is no cache file yet (the cron job hasn't run yet), bail
-[ -s "$UA_STATUS_CACHE" ] || exit 0
-ua_status=$(cat "$UA_STATUS_CACHE")
-# if there is no livepatch section at all in the output, silently
-# bail
-has_livepatch=$(echo "${ua_status}" | grep "^${service_name}")
-[ -n "${has_livepatch}" ] || exit 0
-livepatch_status=$(echo "$ua_status"|grep ^${service_name}:|sed -r -n "s,^${service_name}: (.*)$,\\1,p")
-# only look for patchState and checkState inside the specific service
-# block in the status output
-patch_state=$(echo "$ua_status"|sed -r -n "/^${service_name}:/,/^\\S/s,^[[:blank:]]+patchState: (.*)$,\\1,p")
-check_state=$(echo "$ua_status"|sed -r -n "/^${service_name}:/,/^\\S/s,^[[:blank:]]+checkState: (.*)$,\\1,p")
-
-case "$livepatch_status" in
- "disabled (not available)")
- # do nothing
- ;;
- "enabled")
- echo
- echo " * Canonical Livepatch is enabled."
- print_status "${check_state}" "${patch_state}"
- ;;
- "disabled")
- echo
- echo " * Canonical Livepatch is available for installation."
- echo " - Reduce system reboots and improve kernel security. Activate at:"
- echo " https://ubuntu.com/livepatch"
- ;;
- *)
- echo
- echo " * Canonical Livepatch is in an unknown state."
- echo " - Please see /var/log/syslog for more information."
- echo " Status: \"$livepatch_status\""
- ;;
-esac
--- /dev/null
+#!/bin/sh
+stamp="/var/lib/ubuntu-advantage/messages/motd-esm-announce"
+
+[ ! -r "$stamp" ] || cat "$stamp"
--- /dev/null
+#!/bin/sh
+stamp="/var/lib/ubuntu-advantage/messages/motd-esm-service-status"
+
+[ ! -r "$stamp" ] || cat "$stamp"
projects / homeserver / commitdiff