From 156011d9ea4b849463854aaed744ae2aaf39b863 Mon Sep 17 00:00:00 2001
From: mhoellein <mhoellein@freenet.de>
Date: Wed, 16 Jun 2021 14:59:56 +0200
Subject: [PATCH] committing changes in /etc after apt run

Package changes:
+distro-info 0.18ubuntu0.18.04.1 amd64
-ubuntu-advantage-tools 17 all
+ubuntu-advantage-tools 27.0.2~18.04.1 amd64
---
 .etckeeper                                    | 12 ++-
 apt/apt.conf.d/20apt-esm-hook.conf            | 15 +++
 cron.daily/ubuntu-advantage-tools             | 12 ---
 logrotate.d/ubuntu-advantage-tools            |  8 ++
 .../ua-reboot-cmds.service                    |  1 +
 .../timers.target.wants/ua-messaging.timer    |  1 +
 ubuntu-advantage/help_data.yaml               | 68 ++++++++++++++
 ubuntu-advantage/uaclient.conf                |  6 ++
 .../ubuntu-advantage-upgrades.cfg             |  4 +
 update-motd.d/80-esm                          | 24 -----
 update-motd.d/80-livepatch                    | 93 -------------------
 update-motd.d/88-esm-announce                 |  4 +
 update-motd.d/91-contract-ua-esm-status       |  4 +
 13 files changed, 119 insertions(+), 133 deletions(-)
 create mode 100644 apt/apt.conf.d/20apt-esm-hook.conf
 delete mode 100755 cron.daily/ubuntu-advantage-tools
 create mode 100644 logrotate.d/ubuntu-advantage-tools
 create mode 120000 systemd/system/multi-user.target.wants/ua-reboot-cmds.service
 create mode 120000 systemd/system/timers.target.wants/ua-messaging.timer
 create mode 100644 ubuntu-advantage/help_data.yaml
 create mode 100644 ubuntu-advantage/uaclient.conf
 create mode 100644 update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg
 delete mode 100755 update-motd.d/80-esm
 delete mode 100755 update-motd.d/80-livepatch
 create mode 100755 update-motd.d/88-esm-announce
 create mode 100755 update-motd.d/91-contract-ua-esm-status

diff --git a/.etckeeper b/.etckeeper
index 14f0b6ec..6450346c 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -69,7 +69,6 @@ mkdir -p './security/namespace.d'
 mkdir -p './smartmontools/smartd_warning.d'
 mkdir -p './systemd/user'
 mkdir -p './udev/hwdb.d'
-mkdir -p './update-manager/release-upgrades.d'
 mkdir -p './update-notifier'
 mkdir -p './usb_modeswitch.d'
 maybe chmod 0755 '.'
@@ -755,6 +754,7 @@ maybe chmod 0444 'apt/apt.conf.d/01autoremove-kernels'
 maybe chmod 0644 'apt/apt.conf.d/05etckeeper'
 maybe chmod 0644 'apt/apt.conf.d/10periodic'
 maybe chmod 0644 'apt/apt.conf.d/15update-stamp'
+maybe chmod 0644 'apt/apt.conf.d/20apt-esm-hook.conf'
 maybe chmod 0644 'apt/apt.conf.d/20archive'
 maybe chmod 0644 'apt/apt.conf.d/20auto-upgrades'
 maybe chmod 0644 'apt/apt.conf.d/20dbus'
@@ -2033,7 +2033,6 @@ maybe chmod 0755 'cron.daily/ntp'
 maybe chmod 0755 'cron.daily/passwd'
 maybe chmod 0755 'cron.daily/samba'
 maybe chmod 0755 'cron.daily/spamassassin'
-maybe chmod 0755 'cron.daily/ubuntu-advantage-tools'
 maybe chmod 0755 'cron.daily/update-notifier-common'
 maybe chmod 0755 'cron.daily/upstart'
 maybe chmod 0755 'cron.hourly'
@@ -9265,6 +9264,7 @@ maybe chmod 0644 'logrotate.d/samba'
 maybe chmod 0644 'logrotate.d/speech-dispatcher'
 maybe chmod 0644 'logrotate.d/tine20'
 maybe chmod 0644 'logrotate.d/tor'
+maybe chmod 0644 'logrotate.d/ubuntu-advantage-tools'
 maybe chmod 0644 'logrotate.d/ufw'
 maybe chmod 0644 'logrotate.d/unattended-upgrades'
 maybe chmod 0644 'logrotate.d/unifi'
@@ -10552,6 +10552,9 @@ maybe chmod 0644 'tmpfiles.d/screen-cleanup.conf'
 maybe chmod 0755 'tor'
 maybe chmod 0644 'tor/torrc'
 maybe chmod 0644 'ts.conf'
+maybe chmod 0755 'ubuntu-advantage'
+maybe chmod 0644 'ubuntu-advantage/help_data.yaml'
+maybe chmod 0644 'ubuntu-advantage/uaclient.conf'
 maybe chmod 0644 'ucf.conf'
 maybe chmod 0755 'udev'
 maybe chmod 0755 'udev/hwdb.d'
@@ -10588,13 +10591,14 @@ maybe chmod 0755 'update-manager'
 maybe chmod 0644 'update-manager/meta-release'
 maybe chmod 0644 'update-manager/release-upgrades'
 maybe chmod 0755 'update-manager/release-upgrades.d'
+maybe chmod 0644 'update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg'
 maybe chmod 0755 'update-motd.d'
 maybe chmod 0755 'update-motd.d/00-header'
 maybe chmod 0755 'update-motd.d/10-help-text'
 maybe chmod 0755 'update-motd.d/50-motd-news'
-maybe chmod 0755 'update-motd.d/80-esm'
-maybe chmod 0755 'update-motd.d/80-livepatch'
+maybe chmod 0755 'update-motd.d/88-esm-announce'
 maybe chmod 0755 'update-motd.d/90-updates-available'
+maybe chmod 0755 'update-motd.d/91-contract-ua-esm-status'
 maybe chmod 0755 'update-motd.d/91-release-upgrade'
 maybe chmod 0755 'update-motd.d/92-unattended-upgrades'
 maybe chmod 0755 'update-motd.d/95-hwe-eol'
diff --git a/apt/apt.conf.d/20apt-esm-hook.conf b/apt/apt.conf.d/20apt-esm-hook.conf
new file mode 100644
index 00000000..3a06efdf
--- /dev/null
+++ b/apt/apt.conf.d/20apt-esm-hook.conf
@@ -0,0 +1,15 @@
+APT::Update::Post-Invoke-Stats {
+	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-stats || true";
+};
+
+APT::Install::Post-Invoke-Success {
+	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-success || true";
+}; 
+
+APT::Install::Pre-Invoke {
+	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true";
+}
+
+AptCli::Hooks::Upgrade {
+	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-json-hook ] || /usr/lib/ubuntu-advantage/apt-esm-json-hook || true";
+}
diff --git a/cron.daily/ubuntu-advantage-tools b/cron.daily/ubuntu-advantage-tools
deleted file mode 100755
index 6d447463..00000000
--- a/cron.daily/ubuntu-advantage-tools
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh -e
-
-UA="/usr/bin/ubuntu-advantage"
-CACHE_DIR="/var/cache/ubuntu-advantage-tools"
-CACHE_FILE="$CACHE_DIR/ubuntu-advantage-status.cache"
-
-[ -x "$UA" ] || exit 0
-
-[ -d "$CACHE_DIR" ] || mkdir -p "$CACHE_DIR"
-
-"$UA" status > "$CACHE_FILE"
-
diff --git a/logrotate.d/ubuntu-advantage-tools b/logrotate.d/ubuntu-advantage-tools
new file mode 100644
index 00000000..1dede3f5
--- /dev/null
+++ b/logrotate.d/ubuntu-advantage-tools
@@ -0,0 +1,8 @@
+/var/log/ubuntu-advantage.log {
+    rotate 6
+    monthly
+    compress
+    delaycompress
+    missingok
+    notifempty
+}
diff --git a/systemd/system/multi-user.target.wants/ua-reboot-cmds.service b/systemd/system/multi-user.target.wants/ua-reboot-cmds.service
new file mode 120000
index 00000000..e2ace0ae
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/ua-reboot-cmds.service
@@ -0,0 +1 @@
+/lib/systemd/system/ua-reboot-cmds.service
\ No newline at end of file
diff --git a/systemd/system/timers.target.wants/ua-messaging.timer b/systemd/system/timers.target.wants/ua-messaging.timer
new file mode 120000
index 00000000..a9be21a6
--- /dev/null
+++ b/systemd/system/timers.target.wants/ua-messaging.timer
@@ -0,0 +1 @@
+/lib/systemd/system/ua-messaging.timer
\ No newline at end of file
diff --git a/ubuntu-advantage/help_data.yaml b/ubuntu-advantage/help_data.yaml
new file mode 100644
index 00000000..da222a3a
--- /dev/null
+++ b/ubuntu-advantage/help_data.yaml
@@ -0,0 +1,68 @@
+cc-eal:
+    help: |
+      Common Criteria is an Information Technology Security Evaluation standard
+      (ISO/IEC IS 15408) for computer security certification. Ubuntu 16.04 has
+      been evaluated to assurance level EAL2 through CSEC. The evaluation was
+      performed on Intel x86_64, IBM Power8 and IBM Z hardware platforms.
+
+cis:
+    help: |
+      CIS benchmarks locks down your systems by removing non-secure programs,
+      disabling unused filesystems, disabling unnecessary ports or services to
+      prevent cyber attacks and malware, auditing privileged operations and
+      restricting administrative privileges. The cis command installs
+      tooling needed to automate audit and hardening according to a desired
+      CIS profile - level 1 or level 2 for server or workstation on
+      Ubuntu 18.04 LTS or 16.04 LTS. The audit tooling uses OpenSCAP libraries
+      to do a scan of the system. The tool provides options to generate a
+      report in XML or a html format. The report shows compliance for all the
+      rules against the profile selected during the scan. You can find out
+      more at https://ubuntu.com/security/certifications#cis
+
+esm-apps:
+    help: |
+      UA Apps: Extended Security Maintenance is enabled by default on entitled
+      workloads. It provides access to a private PPA which includes available
+      high and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main
+      and Ubuntu Universe repositories from the Ubuntu LTS release date until
+      its end of life. You can find out more about the esm service at
+      https://ubuntu.com/security/esm
+
+esm-infra:
+   help: |
+     esm-infra provides access to a private ppa which includes available high
+     and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main
+     repository between the end of the standard Ubuntu LTS security
+     maintenance and its end of life. It is enabled by default with
+     Extended Security Maintenance (ESM) for UA Apps and UA Infra.
+     You can find our more about the esm service at
+     https://ubuntu.com/security/esm
+
+fips:
+    help: |
+      FIPS 140-2 is a set of publicly announced cryptographic standards
+      developed by the National Institute of Standards and Technology
+      applicable for FedRAMP, HIPAA, PCI and ISO compliance use cases.
+      Note that ‘fips’ does not provide security patching. For fips certified
+      modules with security patches please refer to fips-updates. The modules
+      are certified on Intel x86_64 and IBM Z hardware platforms for Ubuntu
+      18.04 and Intel x86_64, IBM Power8 and IBM Z hardware platforms for
+      Ubuntu 16.04. Below is the list of fips certified components per an
+      Ubuntu Version. You can find out more at
+      https://ubuntu.com/security/certifications#fips
+
+fips-updates:
+    help: |
+      fips-updates installs fips modules including all security patches
+      for those modules that have been provided since their certification date.
+      You can find out more at https://ubuntu.com/security/certifications#fips.
+
+livepatch:
+    help: |
+      Livepatch provides selected high and critical kernel CVE fixes and other
+      non-security bug fixes as kernel livepatches. Livepatches are applied
+      without rebooting a machine which drastically limits the need for
+      unscheduled system reboots. Due to the nature of fips compliance,
+      livepatches cannot be enabled on fips-enabled systems. You can find out
+      more about Ubuntu Kernel Livepatch service at
+      https://ubuntu.com/security/livepatch
diff --git a/ubuntu-advantage/uaclient.conf b/ubuntu-advantage/uaclient.conf
new file mode 100644
index 00000000..9e5def80
--- /dev/null
+++ b/ubuntu-advantage/uaclient.conf
@@ -0,0 +1,6 @@
+# Ubuntu-Advantage client config file.
+contract_url: 'https://contracts.canonical.com'
+security_url: 'https://ubuntu.com/security'
+data_dir: /var/lib/ubuntu-advantage
+log_level: debug
+log_file: /var/log/ubuntu-advantage.log
diff --git a/update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg b/update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg
new file mode 100644
index 00000000..c7da279a
--- /dev/null
+++ b/update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg
@@ -0,0 +1,4 @@
+[Sources]
+Pockets=security,updates,proposed,backports,infra-security,infra-updates,apps-security,apps-updates
+[Distro]
+PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py
diff --git a/update-motd.d/80-esm b/update-motd.d/80-esm
deleted file mode 100755
index 08576213..00000000
--- a/update-motd.d/80-esm
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-SERIES=$(lsb_release -cs)
-DESCRIPTION=$(lsb_release -ds)
-
-[ "$SERIES" = "precise" ] || exit 0
-
-[ -x /usr/bin/ubuntu-advantage ] || exit 0
-
-if ubuntu-advantage is-esm-enabled; then
-    cat <<EOF
-This ${DESCRIPTION} system is configured to receive extended security updates
-from Canonical:
- * https://www.ubuntu.com/esm
-EOF
-else
-    cat <<EOF
-This ${DESCRIPTION} system is past its End of Life, and is no longer
-receiving security updates.  To protect the integrity of this system, it’s
-critical that you enable Extended Security Maintenance updates:
- * https://www.ubuntu.com/esm
-EOF
-fi
-echo
diff --git a/update-motd.d/80-livepatch b/update-motd.d/80-livepatch
deleted file mode 100755
index de59bf1e..00000000
--- a/update-motd.d/80-livepatch
+++ /dev/null
@@ -1,93 +0,0 @@
-#!/bin/sh
-
-UA=${UA:-"/usr/bin/ubuntu-advantage"}
-UA_STATUS_CACHE=${UA_STATUS_CACHE:-"/var/cache/ubuntu-advantage-tools/ubuntu-advantage-status.cache"}
-
-[ -x "$UA" ] || exit 0
-
-print_patch_state() {
-    local patch_state="$1"
-
-    case "$patch_state" in
-        unapplied)
-            echo "Patches are available, will be deployed shortly."
-            ;;
-        applied)
-            echo "All available patches applied."
-            ;;
-        applied-with-bug|apply-failed)
-            echo "Live patching failed, please run \`ubuntu-bug linux\` to report a bug."
-            ;;
-        nothing-to-apply)
-            echo "All available patches applied."
-            ;;
-        applying)
-            echo "Live patching currently in progress."
-            ;;
-        *)
-            echo "Unknown patch status. Please see /var/log/syslog for more information."
-            echo "     Status: \"$patch_state\""
-            ;;
-    esac
-}
-
-print_status() {
-    local check_state="$1"
-    local patch_state="$2"
-
-    echo -n "   - "
-    case "$check_state" in
-        needs-check)
-            echo "Regular server check is pending."
-            ;;
-        check-failed)
-            echo "Livepatch server check failed."
-            echo "     Please see /var/log/syslog for more information."
-            ;;
-        checked)
-            print_patch_state "$patch_state"
-            ;;
-        *)
-            echo "Unknown check status. Please see /var/log/syslog for more information."
-            echo "     Status: \"$check_state\""
-            ;;
-    esac
-}
-
-
-service_name="livepatch"
-# if there is no cache file yet (the cron job hasn't run yet), bail
-[ -s "$UA_STATUS_CACHE" ] || exit 0
-ua_status=$(cat "$UA_STATUS_CACHE")
-# if there is no livepatch section at all in the output, silently
-# bail
-has_livepatch=$(echo "${ua_status}" | grep "^${service_name}")
-[ -n "${has_livepatch}" ] || exit 0
-livepatch_status=$(echo "$ua_status"|grep ^${service_name}:|sed -r -n "s,^${service_name}: (.*)$,\\1,p")
-# only look for patchState and checkState inside the specific service
-# block in the status output
-patch_state=$(echo "$ua_status"|sed -r -n "/^${service_name}:/,/^\\S/s,^[[:blank:]]+patchState: (.*)$,\\1,p")
-check_state=$(echo "$ua_status"|sed -r -n "/^${service_name}:/,/^\\S/s,^[[:blank:]]+checkState: (.*)$,\\1,p")
-
-case "$livepatch_status" in
-    "disabled (not available)")
-        # do nothing
-        ;;
-    "enabled")
-        echo
-        echo " * Canonical Livepatch is enabled."
-        print_status "${check_state}" "${patch_state}"
-        ;;
-    "disabled")
-        echo
-        echo " * Canonical Livepatch is available for installation."
-        echo "   - Reduce system reboots and improve kernel security. Activate at:"
-        echo "     https://ubuntu.com/livepatch"
-        ;;
-    *)
-        echo
-        echo " * Canonical Livepatch is in an unknown state."
-        echo "   - Please see /var/log/syslog for more information."
-        echo "     Status: \"$livepatch_status\""
-        ;;
-esac
diff --git a/update-motd.d/88-esm-announce b/update-motd.d/88-esm-announce
new file mode 100755
index 00000000..44b521b4
--- /dev/null
+++ b/update-motd.d/88-esm-announce
@@ -0,0 +1,4 @@
+#!/bin/sh
+stamp="/var/lib/ubuntu-advantage/messages/motd-esm-announce"
+
+[ ! -r "$stamp" ] || cat "$stamp"
diff --git a/update-motd.d/91-contract-ua-esm-status b/update-motd.d/91-contract-ua-esm-status
new file mode 100755
index 00000000..ceb22723
--- /dev/null
+++ b/update-motd.d/91-contract-ua-esm-status
@@ -0,0 +1,4 @@
+#!/bin/sh
+stamp="/var/lib/ubuntu-advantage/messages/motd-esm-service-status"
+
+[ ! -r "$stamp" ] || cat "$stamp"
-- 
2.43.0