From a61adb183ae3d46c76bf4b794d655c6715352af0 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Fri, 14 May 2021 10:01:07 +0200 Subject: [PATCH] committing changes in /etc made by "/usr/bin/apt full-upgrade -y" Package changes: +distro-info 0.23ubuntu1 amd64 -ubuntu-advantage-tools 20.3 amd64 +ubuntu-advantage-tools 27.0.2~20.04.1 amd64 --- .etckeeper | 6 +- apt/apt.conf.d/20apt-esm-hook.conf | 15 ++++ .../ua-reboot-cmds.service | 1 + .../timers.target.wants/ua-messaging.timer | 1 + ubuntu-advantage/help_data.yaml | 68 +++++++++++++++++++ ubuntu-advantage/uaclient.conf | 1 + .../ubuntu-advantage-upgrades.cfg | 4 ++ update-motd.d/88-esm-announce | 4 ++ update-motd.d/91-contract-ua-esm-status | 4 ++ 9 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 apt/apt.conf.d/20apt-esm-hook.conf create mode 120000 systemd/system/multi-user.target.wants/ua-reboot-cmds.service create mode 120000 systemd/system/timers.target.wants/ua-messaging.timer create mode 100644 ubuntu-advantage/help_data.yaml create mode 100644 update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg create mode 100755 update-motd.d/88-esm-announce create mode 100755 update-motd.d/91-contract-ua-esm-status diff --git a/.etckeeper b/.etckeeper index 5acaa27..ee7a2a3 100755 --- a/.etckeeper +++ b/.etckeeper @@ -70,7 +70,6 @@ mkdir -p './ssh/ssh_config.d' mkdir -p './ssh/sshd_config.d' mkdir -p './systemd/network' mkdir -p './udev/hwdb.d' -mkdir -p './update-manager/release-upgrades.d' mkdir -p './update-notifier' mkdir -p './usb_modeswitch.d' mkdir -p './vulkan/explicit_layer.d' @@ -529,6 +528,7 @@ maybe chmod 0444 'apt/apt.conf.d/01autoremove-kernels' maybe chmod 0644 'apt/apt.conf.d/05etckeeper' maybe chmod 0644 'apt/apt.conf.d/10periodic' maybe chmod 0644 'apt/apt.conf.d/15update-stamp' +maybe chmod 0644 'apt/apt.conf.d/20apt-esm-hook.conf' maybe chmod 0644 'apt/apt.conf.d/20archive' maybe chmod 0644 'apt/apt.conf.d/20dbus' maybe chmod 0644 'apt/apt.conf.d/20packagekit' @@ -3051,6 +3051,7 @@ maybe chmod 0644 'timidity/timgm6mb.cfg' maybe chmod 0755 'tmpfiles.d' maybe chmod 0644 'tmpfiles.d/screen-cleanup.conf' maybe chmod 0755 'ubuntu-advantage' +maybe chmod 0644 'ubuntu-advantage/help_data.yaml' maybe chmod 0644 'ubuntu-advantage/uaclient.conf' maybe chmod 0644 'ucf.conf' maybe chmod 0755 'udev' @@ -3082,12 +3083,15 @@ maybe chmod 0755 'update-manager' maybe chmod 0644 'update-manager/meta-release' maybe chmod 0644 'update-manager/release-upgrades' maybe chmod 0755 'update-manager/release-upgrades.d' +maybe chmod 0644 'update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg' maybe chmod 0755 'update-motd.d' maybe chmod 0755 'update-motd.d/00-header' maybe chmod 0755 'update-motd.d/10-help-text' maybe chmod 0755 'update-motd.d/50-motd-news' maybe chmod 0755 'update-motd.d/85-fwupd' +maybe chmod 0755 'update-motd.d/88-esm-announce' maybe chmod 0755 'update-motd.d/90-updates-available' +maybe chmod 0755 'update-motd.d/91-contract-ua-esm-status' maybe chmod 0755 'update-motd.d/91-release-upgrade' maybe chmod 0755 'update-motd.d/95-hwe-eol' maybe chmod 0755 'update-motd.d/98-fsck-at-reboot' diff --git a/apt/apt.conf.d/20apt-esm-hook.conf b/apt/apt.conf.d/20apt-esm-hook.conf new file mode 100644 index 0000000..3a06efd --- /dev/null +++ b/apt/apt.conf.d/20apt-esm-hook.conf @@ -0,0 +1,15 @@ +APT::Update::Post-Invoke-Stats { + "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-stats || true"; +}; + +APT::Install::Post-Invoke-Success { + "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-success || true"; +}; + +APT::Install::Pre-Invoke { + "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true"; +} + +AptCli::Hooks::Upgrade { + "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-json-hook ] || /usr/lib/ubuntu-advantage/apt-esm-json-hook || true"; +} diff --git a/systemd/system/multi-user.target.wants/ua-reboot-cmds.service b/systemd/system/multi-user.target.wants/ua-reboot-cmds.service new file mode 120000 index 0000000..e2ace0a --- /dev/null +++ b/systemd/system/multi-user.target.wants/ua-reboot-cmds.service @@ -0,0 +1 @@ +/lib/systemd/system/ua-reboot-cmds.service \ No newline at end of file diff --git a/systemd/system/timers.target.wants/ua-messaging.timer b/systemd/system/timers.target.wants/ua-messaging.timer new file mode 120000 index 0000000..a9be21a --- /dev/null +++ b/systemd/system/timers.target.wants/ua-messaging.timer @@ -0,0 +1 @@ +/lib/systemd/system/ua-messaging.timer \ No newline at end of file diff --git a/ubuntu-advantage/help_data.yaml b/ubuntu-advantage/help_data.yaml new file mode 100644 index 0000000..da222a3 --- /dev/null +++ b/ubuntu-advantage/help_data.yaml @@ -0,0 +1,68 @@ +cc-eal: + help: | + Common Criteria is an Information Technology Security Evaluation standard + (ISO/IEC IS 15408) for computer security certification. Ubuntu 16.04 has + been evaluated to assurance level EAL2 through CSEC. The evaluation was + performed on Intel x86_64, IBM Power8 and IBM Z hardware platforms. + +cis: + help: | + CIS benchmarks locks down your systems by removing non-secure programs, + disabling unused filesystems, disabling unnecessary ports or services to + prevent cyber attacks and malware, auditing privileged operations and + restricting administrative privileges. The cis command installs + tooling needed to automate audit and hardening according to a desired + CIS profile - level 1 or level 2 for server or workstation on + Ubuntu 18.04 LTS or 16.04 LTS. The audit tooling uses OpenSCAP libraries + to do a scan of the system. The tool provides options to generate a + report in XML or a html format. The report shows compliance for all the + rules against the profile selected during the scan. You can find out + more at https://ubuntu.com/security/certifications#cis + +esm-apps: + help: | + UA Apps: Extended Security Maintenance is enabled by default on entitled + workloads. It provides access to a private PPA which includes available + high and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main + and Ubuntu Universe repositories from the Ubuntu LTS release date until + its end of life. You can find out more about the esm service at + https://ubuntu.com/security/esm + +esm-infra: + help: | + esm-infra provides access to a private ppa which includes available high + and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main + repository between the end of the standard Ubuntu LTS security + maintenance and its end of life. It is enabled by default with + Extended Security Maintenance (ESM) for UA Apps and UA Infra. + You can find our more about the esm service at + https://ubuntu.com/security/esm + +fips: + help: | + FIPS 140-2 is a set of publicly announced cryptographic standards + developed by the National Institute of Standards and Technology + applicable for FedRAMP, HIPAA, PCI and ISO compliance use cases. + Note that ‘fips’ does not provide security patching. For fips certified + modules with security patches please refer to fips-updates. The modules + are certified on Intel x86_64 and IBM Z hardware platforms for Ubuntu + 18.04 and Intel x86_64, IBM Power8 and IBM Z hardware platforms for + Ubuntu 16.04. Below is the list of fips certified components per an + Ubuntu Version. You can find out more at + https://ubuntu.com/security/certifications#fips + +fips-updates: + help: | + fips-updates installs fips modules including all security patches + for those modules that have been provided since their certification date. + You can find out more at https://ubuntu.com/security/certifications#fips. + +livepatch: + help: | + Livepatch provides selected high and critical kernel CVE fixes and other + non-security bug fixes as kernel livepatches. Livepatches are applied + without rebooting a machine which drastically limits the need for + unscheduled system reboots. Due to the nature of fips compliance, + livepatches cannot be enabled on fips-enabled systems. You can find out + more about Ubuntu Kernel Livepatch service at + https://ubuntu.com/security/livepatch diff --git a/ubuntu-advantage/uaclient.conf b/ubuntu-advantage/uaclient.conf index 8dc2f1a..9e5def8 100644 --- a/ubuntu-advantage/uaclient.conf +++ b/ubuntu-advantage/uaclient.conf @@ -1,5 +1,6 @@ # Ubuntu-Advantage client config file. contract_url: 'https://contracts.canonical.com' +security_url: 'https://ubuntu.com/security' data_dir: /var/lib/ubuntu-advantage log_level: debug log_file: /var/log/ubuntu-advantage.log diff --git a/update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg b/update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg new file mode 100644 index 0000000..c7da279 --- /dev/null +++ b/update-manager/release-upgrades.d/ubuntu-advantage-upgrades.cfg @@ -0,0 +1,4 @@ +[Sources] +Pockets=security,updates,proposed,backports,infra-security,infra-updates,apps-security,apps-updates +[Distro] +PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py diff --git a/update-motd.d/88-esm-announce b/update-motd.d/88-esm-announce new file mode 100755 index 0000000..44b521b --- /dev/null +++ b/update-motd.d/88-esm-announce @@ -0,0 +1,4 @@ +#!/bin/sh +stamp="/var/lib/ubuntu-advantage/messages/motd-esm-announce" + +[ ! -r "$stamp" ] || cat "$stamp" diff --git a/update-motd.d/91-contract-ua-esm-status b/update-motd.d/91-contract-ua-esm-status new file mode 100755 index 0000000..ceb2272 --- /dev/null +++ b/update-motd.d/91-contract-ua-esm-status @@ -0,0 +1,4 @@ +#!/bin/sh +stamp="/var/lib/ubuntu-advantage/messages/motd-esm-service-status" + +[ ! -r "$stamp" ] || cat "$stamp" -- 2.39.5