Ubuntu
ubuntu-advantage-tools package

Merge ~ahasenack/ubuntu/+source/ubuntu-advantage-tools:disco-v18-update into ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/ubuntu-advantage-tools
  3. disco-v18-update
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Robie Basak
Approved revision: 7245b89d3e844a8bf836199330308920dfdc84fe
Merged at revision: 7245b89d3e844a8bf836199330308920dfdc84fe
Proposed branch: ~ahasenack/ubuntu/+source/ubuntu-advantage-tools:disco-v18-update
Merge into: ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel
Diff against target: 994 lines (+705/-12)
16 files modified
README.md (+2/-0)
debian/changelog (+13/-0)
keyrings/ubuntu-securitybenchmarks-keyring.gpg (+0/-0)
modules/service-cc.sh (+75/-0)
modules/service-cis.sh (+75/-0)
modules/service-livepatch.sh (+14/-2)
modules/service.sh (+9/-1)
tests/fakes.py (+20/-0)
tests/test_cc.py (+186/-0)
tests/test_cisaudit.py (+187/-0)
tests/test_livepatch_motd.py (+14/-0)
tests/test_script.py (+20/-0)
tests/testing.py (+26/-1)
ubuntu-advantage (+23/-7)
ubuntu-advantage.1 (+35/-1)
update-motd.d/80-livepatch (+6/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+361749@code.launchpad.net

Description of the change

Bileto ticket and ppa: https://bileto.ubuntu.com/#/ticket/3593

The package build runs unit tests, way more comprehensive than the dep8 tests.

This contains all the changes since v17 (available in disco) to what is in the master branch on github, effectively bringing the code in sync. I used git rebase to transport the github commits onto the ubuntu package git repo.

If reviewing each commit, what will complicate things a bit is the revert of "Merge pull request #147 from panlinux/switch-kernel-for-lp".

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Considering that the content was already reviewed on the actual project I can't find an issue from the packaging perspective.
So Ack?

I took a look at the rest (high level only) and found a few worth to mention:

I was wondering why the Readme.md didn't get an entry for "Canonical CIS Ubuntu Benchmark Audit tool", but all other elements got one - intentional?

Furthermore "FIPS PPA repository" got changed to "FIPS repository", but all the commoncriteria/CIS entries still call it "PPA repository" that feels a bit inconsistent.

How do you want to continue, do you want to fix up the mentioned issues and/or a deeper review of what was changed upstream?
Or would you want to upload v18 as-is (it is a correctly packaged v18) and work on those things fro v19 at the source?

review: Needs Information
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll fix that here.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Updated and pushed. There are other mentions of "PPA" elsewhere in the code (status messages, that kind of thing), but changing those is a bigger chunk of work as it also affects tests and UI. I would prefer to change that in a later version. The PPA change you noted in the help output was indeed an oversight and what I did is just a continuation of https://github.com/CanonicalLtd/ubuntu-advantage-script/pull/153, so that's OK to do here.

I also updated the README.md file regarding the CIS audit tool. No URL for it yet, though, so I'll just leave it mentioned.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks, the packaging and the changes in general LGTM

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/README.md b/README.md
index f18d214..b217889 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,8 @@ Currently it supports the following:
9- [Ubuntu Extended Security Maintenance](https://ubuntu.com/esm) archive.9- [Ubuntu Extended Security Maintenance](https://ubuntu.com/esm) archive.
10- [Canonical Livepatch](https://www.ubuntu.com/server/livepatch) service for managed live kernel patching.10- [Canonical Livepatch](https://www.ubuntu.com/server/livepatch) service for managed live kernel patching.
11- Canonical FIPS 140-2 Certified Modules. Install Configure and Enable FIPS modules.11- Canonical FIPS 140-2 Certified Modules. Install Configure and Enable FIPS modules.
12- Canonical Common Criteria EAL2 certification artifacts provisioning
13- Canonical CIS Ubuntu Benchmark Audit tool
1214
13Run 15Run
1416
diff --git a/debian/changelog b/debian/changelog
index 39ea084..6b4db06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
1ubuntu-advantage-tools (18) disco; urgency=medium
2
3 [ Andreas Hasenack ]
4 * Have ua status cope with the additional livepatch status of running a
5 kernel that is not supported for livepatches.
6
7 [ Vineetha Kamath ]
8 * Add support to common criteria EAL2 artifacts installation #144
9 * Add new flag enable-cisaudit to support cis audit
10 * Add support for disable-cc-provisioning
11
12 -- Andreas Hasenack <andreas@canonical.com> Mon, 14 Jan 2019 16:39:31 -0200
13
1ubuntu-advantage-tools (17) bionic; urgency=medium14ubuntu-advantage-tools (17) bionic; urgency=medium
215
3 * New upstream release (LP: #1759280):16 * New upstream release (LP: #1759280):
diff --git a/keyrings/ubuntu-cc-keyring.gpg b/keyrings/ubuntu-cc-keyring.gpg
4new file mode 10064417new file mode 100644
index 0000000..d00f63f
5Binary files /dev/null and b/keyrings/ubuntu-cc-keyring.gpg differ18Binary files /dev/null and b/keyrings/ubuntu-cc-keyring.gpg differ
diff --git a/keyrings/ubuntu-securitybenchmarks-keyring.gpg b/keyrings/ubuntu-securitybenchmarks-keyring.gpg
6new file mode 10064419new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/keyrings/ubuntu-securitybenchmarks-keyring.gpg
diff --git a/modules/service-cc.sh b/modules/service-cc.sh
7new file mode 10064420new file mode 100644
index 0000000..2995c33
--- /dev/null
+++ b/modules/service-cc.sh
@@ -0,0 +1,75 @@
1# shellcheck disable=SC2034,SC2039
2
3CC_PROVISIONING_SERVICE_TITLE="Canonical Common Criteria EAL2 Provisioning"
4CC_PROVISIONING_SUPPORTED_SERIES="xenial"
5CC_PROVISIONING_SUPPORTED_ARCHS="x86_64 ppc64le s390x"
6
7CC_PROVISIONING_REPO_URL="https://private-ppa.launchpad.net/ubuntu-advantage/commoncriteria"
8CC_PROVISIONING_REPO_KEY_FILE="ubuntu-cc-keyring.gpg"
9CC_PROVISIONING_REPO_LIST=${CC_PROVISIONING_REPO_LIST:-"/etc/apt/sources.list.d/ubuntu-cc-${SERIES}.list"}
10CC_PROVISIONING_UBUNTU_COMMONCRITERIA="ubuntu-commoncriteria"
11
12cc_provisioning_enable() {
13 local token="$1"
14 local result=0
15
16 _cc_is_installed || result=$?
17 if [ $result -eq 0 ]; then
18 error_msg "Common Criteria artifacts are already installed and available in /usr/lib/common-criteria."
19 error_exit service_already_enabled
20 fi
21
22 check_token "$CC_PROVISIONING_REPO_URL" "$token"
23 apt_add_repo "$CC_PROVISIONING_REPO_LIST" "$CC_PROVISIONING_REPO_URL" "$token" \
24 "${KEYRINGS_DIR}/${CC_PROVISIONING_REPO_KEY_FILE}"
25 apt_install_package_if_missing_file "$APT_METHOD_HTTPS" apt-transport-https
26 apt_install_package_if_missing_file "$CA_CERTIFICATES" ca-certificates
27 echo -n 'Running apt-get update... '
28 check_result apt_get update
29 echo 'Ubuntu Common Criteria PPA repository enabled.'
30
31 echo -n 'Installing Common Criteria artifacts (this may take a while)... '
32 # shellcheck disable=SC2086
33 check_result apt_get install $CC_PROVISIONING_UBUNTU_COMMONCRITERIA
34
35 echo "Successfully prepared this machine to host the Common Criteria artifacts."
36 echo "Please follow instructions in /usr/share/doc/ubuntu-commoncriteria/README to configure EAL2 on the target machine(s)."
37}
38
39cc_provisioning_disable() {
40 if [ -f "$CC_PROVISIONING_REPO_LIST" ]; then
41 apt_remove_repo "$CC_PROVISIONING_REPO_LIST" "$CC_PROVISIONING_REPO_URL" \
42 "$APT_KEYS_DIR/$CC_PROVISIONING_REPO_KEY_FILE"
43 echo -n 'Running apt-get update... '
44 check_result apt_get update
45 echo 'Canonical Common Criteria EAL2 Provisioning Disabled.'
46 else
47 echo 'Canonical Common Criteria EAL2 Provisioning is not Enabled.'
48 fi
49
50 if apt_is_package_installed $CC_PROVISIONING_UBUNTU_COMMONCRITERIA; then
51 check_result apt_get remove $CC_PROVISIONING_UBUNTU_COMMONCRITERIA
52 echo 'Canonical Common Criteria EAL2 Artifacts Removed.'
53 fi
54}
55
56cc_provisioning_is_enabled() {
57 _cc_is_installed
58}
59
60cc_provisioning_print_status() {
61 echo "cc-provisioning: artifacts are in /usr/lib/common-criteria"
62}
63
64_cc_is_installed() {
65 apt_is_package_installed ubuntu-commoncriteria && return 0
66}
67
68cc_provisioning_validate_token() {
69 local token="$1"
70
71 if ! validate_user_pass_token "$token"; then
72 error_msg 'Invalid token, it must be in the form "user:password"'
73 return 1
74 fi
75}
diff --git a/modules/service-cis.sh b/modules/service-cis.sh
0new file mode 10064476new file mode 100644
index 0000000..12fb3e4
--- /dev/null
+++ b/modules/service-cis.sh
@@ -0,0 +1,75 @@
1# shellcheck disable=SC2034,SC2039
2
3CISAUDIT_SERVICE_TITLE="Canonical CIS Benchmark 16.04 Audit Tool"
4CISAUDIT_SUPPORTED_SERIES="xenial"
5CISAUDIT_SUPPORTED_ARCHS="x86_64 ppc64le s390x"
6
7CISAUDIT_REPO_URL="https://private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks"
8CISAUDIT_REPO_KEY_FILE="ubuntu-securitybenchmarks-keyring.gpg"
9CISAUDIT_REPO_LIST=${CISAUDIT_REPO_LIST:-"/etc/apt/sources.list.d/ubuntu-cis-${SERIES}.list"}
10CISAUDIT_UBUNTU_CISBENCHMARK="ubuntu-cisbenchmark-16.04"
11
12cisaudit_enable() {
13 local token="$1"
14 local result=0
15
16 _cisaudit_is_installed || result=$?
17 if [ $result -eq 0 ]; then
18 error_msg "CIS benchmark audit package is already installed and files are available in /usr/share/ubuntu-securityguides/$CISAUDIT_UBUNTU_CISBENCHMARK."
19 error_exit service_already_enabled
20 fi
21
22 check_token "$CISAUDIT_REPO_URL" "$token"
23 apt_add_repo "$CISAUDIT_REPO_LIST" "$CISAUDIT_REPO_URL" "$token" \
24 "${KEYRINGS_DIR}/${CISAUDIT_REPO_KEY_FILE}"
25 apt_install_package_if_missing_file "$APT_METHOD_HTTPS" apt-transport-https
26 apt_install_package_if_missing_file "$CA_CERTIFICATES" ca-certificates
27 echo -n 'Running apt-get update... '
28 check_result apt_get update
29 echo 'Ubuntu Security Benchmarks PPA repository enabled.'
30
31 echo -n 'Installing CIS audit benchmark tool (this may take a while)... '
32 # shellcheck disable=SC2086
33 check_result apt_get install $CISAUDIT_UBUNTU_CISBENCHMARK
34
35 echo "Successfully installed the CIS audit tool."
36 echo "Please follow instructions in /usr/share/doc/$CISAUDIT_UBUNTU_CISBENCHMARK/README to run the CIS audit tool on the target machine(s)."
37}
38
39cisaudit_disable() {
40 if [ -f "$CISAUDIT_REPO_LIST" ]; then
41 apt_remove_repo "$CISAUDIT_REPO_LIST" "$CISAUDIT_REPO_URL" \
42 "$APT_KEYS_DIR/$CISAUDIT_REPO_KEY_FILE"
43 echo -n 'Running apt-get update... '
44 check_result apt_get update
45 echo "Canonical CIS Benchmark 16.04 Audit Tool Repository Disabled."
46 else
47 echo 'Canonical CIS Benchmark 16.04 Audit Tool Repository is not Enabled.'
48 fi
49
50 if apt_is_package_installed $CISAUDIT_UBUNTU_CISBENCHMARK; then
51 check_result apt_get remove $CISAUDIT_UBUNTU_CISBENCHMARK
52 echo 'Canonical CIS Benchmark 16.04 Audit Tool Removed.'
53 fi
54}
55
56cisaudit_is_enabled() {
57 _cisaudit_is_installed
58}
59
60cisaudit_print_status() {
61 echo "cisaudit: files are in /usr/share/ubuntu-securityguides/$CISAUDIT_UBUNTU_CISBENCHMARK"
62}
63
64_cisaudit_is_installed() {
65 apt_is_package_installed $CISAUDIT_UBUNTU_CISBENCHMARK && return 0
66}
67
68cisaudit_validate_token() {
69 local token="$1"
70
71 if ! validate_user_pass_token "$token"; then
72 error_msg 'Invalid token, it must be in the form "user:password"'
73 return 1
74 fi
75}
diff --git a/modules/service-livepatch.sh b/modules/service-livepatch.sh
index 0e35020..d7e920d 100644
--- a/modules/service-livepatch.sh
+++ b/modules/service-livepatch.sh
@@ -45,7 +45,7 @@ livepatch_disable() {
4545
46 echo 'Disabling Livepatch...'46 echo 'Disabling Livepatch...'
47 canonical-livepatch disable47 canonical-livepatch disable
48 if [ "$remove_snap" ]; then48 if [ -n "$remove_snap" ]; then
49 echo 'Removing the canonical-livepatch snap...'49 echo 'Removing the canonical-livepatch snap...'
50 snap remove canonical-livepatch50 snap remove canonical-livepatch
51 else51 else
@@ -59,8 +59,20 @@ livepatch_is_enabled() {
59 canonical-livepatch status >/dev/null 2>&1 || return 159 canonical-livepatch status >/dev/null 2>&1 || return 1
60}60}
6161
62livepatch_disabled_reason() {
63 local output
64 local result=0
65 local unsupported_kernel_msg="is not eligible for livepatch updates"
66
67 output=$(canonical-livepatch status 2>&1) || result=$?
68 if echo "${output}" | grep -q "${unsupported_kernel_msg}"; then
69 echo " (unsupported kernel)"
70 fi
71}
72
62livepatch_print_status() {73livepatch_print_status() {
63 canonical-livepatch status74 # remove empty lines
75 canonical-livepatch status | grep -vE '^[[:blank:]]*$'
64}76}
6577
66livepatch_validate_token() {78livepatch_validate_token() {
diff --git a/modules/service.sh b/modules/service.sh
index 26dc63e..f8e8d80 100644
--- a/modules/service.sh
+++ b/modules/service.sh
@@ -49,15 +49,23 @@ service_print_status() {
49 status="disabled"49 status="disabled"
50 if ! is_supported "$series" "$archs"; then50 if ! is_supported "$series" "$archs"; then
51 status+=" (not available)"51 status+=" (not available)"
52 else
53 status+=$(service_disabled_reason "${service}")
52 fi54 fi
53 fi55 fi
5456
55 echo "$service: $status"57 echo "${service//_/-}: $status"
56 if [ "$status" = enabled ]; then58 if [ "$status" = enabled ]; then
57 _service_print_detailed_status "$service"59 _service_print_detailed_status "$service"
58 fi60 fi
59}61}
6062
63service_disabled_reason() {
64 local service="$1"
65
66 call_if_defined "${service}_disabled_reason"
67}
68
61service_check_user() {69service_check_user() {
62 if [ "$(id -u)" -ne 0 ]; then70 if [ "$(id -u)" -ne 0 ]; then
63 error_msg "This command must be run as root (try using sudo)"71 error_msg "This command must be run as root (try using sudo)"
diff --git a/tests/fakes.py b/tests/fakes.py
index 0075504..ca6566d 100644
--- a/tests/fakes.py
+++ b/tests/fakes.py
@@ -30,6 +30,16 @@ EOF
30fi30fi
31"""31"""
3232
33# regardless of the command, canonical-livepatch will always exit with
34# status 1 and a message like this
35LIVEPATCH_UNSUPPORTED_KERNEL = """
36cat <<EOF
372018/05/24 18:51:29 cannot use livepatch: your kernel "4.15.0-1010-kvm" \
38is not eligible for livepatch updates
39EOF
40exit 1
41"""
42
33LIVEPATCH_ENABLED = """43LIVEPATCH_ENABLED = """
34if [ "$1" = "status" ]; then44if [ "$1" = "status" ]; then
35 cat <<EOF45 cat <<EOF
@@ -50,6 +60,10 @@ status:
50 * CVE-2015-7837 LP: #150956360 * CVE-2015-7837 LP: #1509563
51 * CVE-2016-0758 LP: #158120261 * CVE-2016-0758 LP: #1581202
52EOF62EOF
63# empty lines, for regression testing of
64# https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/145
65echo
66echo
53elif [ "$1" = "enable" ]; then67elif [ "$1" = "enable" ]; then
54 echo -n "2017/08/04 18:03:47 Error executing enable?auth-token="68 echo -n "2017/08/04 18:03:47 Error executing enable?auth-token="
55 echo "deafbeefdeadbeefdeadbeefdeadbeef."69 echo "deafbeefdeadbeefdeadbeefdeadbeef."
@@ -159,6 +173,12 @@ fips: disabled (not available)
159livepatch: disabled (not available)173livepatch: disabled (not available)
160"""174"""
161175
176STATUS_CACHE_LIVEPATCH_DISABLED_UNSUPPORTED = """\
177esm: disabled (not available)
178fips: disabled (not available)
179livepatch: disabled (unsupported kernel)
180"""
181
162STATUS_CACHE_MIXED_CONTENT = """\182STATUS_CACHE_MIXED_CONTENT = """\
163esm: enabled183esm: enabled
164 patchState: should-not-be-here184 patchState: should-not-be-here
diff --git a/tests/test_cc.py b/tests/test_cc.py
165new file mode 100644185new file mode 100644
index 0000000..04ab50b
--- /dev/null
+++ b/tests/test_cc.py
@@ -0,0 +1,186 @@
1"""Tests for CC-related commands."""
2
3from testing import UbuntuAdvantageTest
4
5
6class CCTest(UbuntuAdvantageTest):
7
8 SERIES = 'xenial'
9 ARCH = 'x86_64'
10
11 def setUp(self):
12 super().setUp()
13 self.setup_cc()
14
15 def test_enable_cc_provisioning(self):
16 """The enable-cc-provisioning enables commoncriteria repository."""
17 process = self.script('enable-cc-provisioning', 'user:pass')
18 self.assertEqual(0, process.returncode)
19 self.assertIn(
20 'Ubuntu Common Criteria PPA repository enabled.',
21 process.stdout)
22 expected = (
23 'deb https://private-ppa.launchpad.net/ubuntu-advantage/'
24 'commoncriteria/ubuntu xenial main\n'
25 '# deb-src https://private-ppa.launchpad.net/'
26 'ubuntu-advantage/commoncriteria/ubuntu xenial main\n')
27 self.assertEqual(expected, self.cc_repo_list.read_text())
28 self.assertEqual(
29 self.apt_auth_file.read_text(),
30 'machine private-ppa.launchpad.net/ubuntu-advantage/'
31 'commoncriteria/ubuntu/'
32 ' login user password pass\n')
33 self.assertEqual(self.apt_auth_file.stat().st_mode, 0o100600)
34 keyring_file = self.trusted_gpg_dir / 'ubuntu-cc-keyring.gpg'
35 self.assertEqual('GPG key', keyring_file.read_text())
36 self.assertIn(
37 'Successfully prepared this machine to host'
38 ' the Common Criteria artifacts',
39 process.stdout)
40 # the apt-transport-https dependency is already installed
41 self.assertNotIn(
42 'Installing missing dependency apt-transport-https',
43 process.stdout)
44
45 def test_enable_cc_provisioning_auth_if_other_entries(self):
46 """Existing auth.conf entries are preserved."""
47 auth = 'machine example.com login user password pass\n'
48 self.apt_auth_file.write_text(auth)
49 process = self.script('enable-cc-provisioning', 'user:pass')
50 self.assertEqual(0, process.returncode)
51 self.assertIn(auth, self.apt_auth_file.read_text())
52
53 def test_enable_cc_provisioning_install_apt_transport_https(self):
54 """enable-cc-provisioning installs apt-transport-https if needed."""
55 self.apt_method_https.unlink()
56 process = self.script('enable-cc-provisioning', 'user:pass')
57 self.assertEqual(0, process.returncode)
58 self.assertIn(
59 'Installing missing dependency apt-transport-https',
60 process.stdout)
61
62 def test_enable_cc_provisioning_install_apt_transport_https_fails(self):
63 """Stderr is printed if apt-transport-https install fails."""
64 self.apt_method_https.unlink()
65 self.make_fake_binary('apt-get', command='echo failed >&2; false')
66 process = self.script('enable-cc-provisioning', 'user:pass')
67 self.assertEqual(1, process.returncode)
68 self.assertIn('failed', process.stderr)
69
70 def test_enable_cc_provisioning_install_ca_certificates(self):
71 """enable-fips installs ca-certificates if needed."""
72 self.ca_certificates.unlink()
73 process = self.script('enable-cc-provisioning', 'user:pass')
74 self.assertEqual(0, process.returncode)
75 self.assertIn(
76 'Installing missing dependency ca-certificates',
77 process.stdout)
78
79 def test_enable_cc_provisioning_install_ca_certificates_fails(self):
80 """Stderr is printed if ca-certificates install fails."""
81 self.ca_certificates.unlink()
82 self.make_fake_binary('apt-get', command='echo failed >&2; false')
83 process = self.script('enable-cc-provisioning', 'user:pass')
84 self.assertEqual(1, process.returncode)
85 self.assertIn('failed', process.stderr)
86
87 def test_enable_cc_provisioning_missing_token(self):
88 """The token must be specified when using enable-fips."""
89 process = self.script('enable-cc-provisioning')
90 self.assertEqual(3, process.returncode)
91 self.assertIn(
92 'Invalid token, it must be in the form "user:password"',
93 process.stderr)
94
95 def test_enable_cc_provisioning_invalid_token_format(self):
96 """The CC token must be specified as "user:password"."""
97 process = self.script('enable-cc-provisioning', 'foo-bar')
98 self.assertEqual(3, process.returncode)
99 self.assertIn(
100 'Invalid token, it must be in the form "user:password"',
101 process.stderr)
102
103 def test_enable_cc_provisioning_invalid_token(self):
104 """If token is invalid, an error is returned."""
105 message = (
106 'E: Failed to fetch https://esm.ubuntu.com/'
107 ' 401 Unauthorized [IP: 1.2.3.4]')
108 self.make_fake_binary(
109 'apt-helper', command='echo "{}"; exit 1'.format(message))
110 process = self.script('enable-cc-provisioning', 'user:pass')
111 self.assertEqual(3, process.returncode)
112 self.assertIn('Checking token... ERROR', process.stdout)
113 self.assertIn('Invalid token', process.stderr)
114
115 def test_enable_cc_provisioning_error_checking_token(self):
116 """If token check fails, an error is returned."""
117 message = (
118 'E: Failed to fetch https://esm.ubuntu.com/'
119 ' 404 Not Found [IP: 1.2.3.4]')
120 self.make_fake_binary(
121 'apt-helper', command='echo "{}"; exit 1'.format(message))
122 process = self.script('enable-cc-provisioning', 'user:pass')
123 self.assertEqual(3, process.returncode)
124 self.assertIn('Checking token... ERROR', process.stdout)
125 self.assertIn(
126 'Failed checking token (404 Not Found [IP: 1.2.3.4])',
127 process.stderr)
128
129 def test_enable_cc_provisioning_skip_token_check_no_helper(self):
130 """If apt-helper is not found, the token check is skipped."""
131 self.apt_helper.unlink()
132 process = self.script('enable-cc-provisioning', 'user:pass')
133 self.assertEqual(0, process.returncode)
134 self.assertIn('Checking token... SKIPPED', process.stdout)
135
136 def test_enable_cc_provisioning_only_supported_on_xenial(self):
137 """The enable-cc-provisioning option fails if not on Xenial."""
138 self.SERIES = 'zesty'
139 process = self.script('enable-cc-provisioning', 'user:pass')
140 self.assertEqual(4, process.returncode)
141 self.assertIn(
142 'Canonical Common Criteria EAL2 Provisioning is '
143 'not supported on zesty',
144 process.stderr)
145
146 def test_unsupported_on_i686(self):
147 """CC is unsupported on i686 arch."""
148 self.ARCH = 'i686'
149 process = self.script('enable-cc-provisioning', 'user:pass')
150 self.assertEqual(7, process.returncode)
151 self.assertIn(
152 'Sorry, but Canonical Common Criteria EAL2 Provisioning '
153 'is not supported on i686',
154 process.stderr)
155
156 def test_unsupported_on_arm64(self):
157 """CC is unsupported on arm64 arch."""
158 self.ARCH = 'arm64'
159 process = self.script('enable-cc-provisioning', 'user:pass')
160 self.assertEqual(7, process.returncode)
161 self.assertIn(
162 'Sorry, but Canonical Common Criteria EAL2 Provisioning '
163 'is not supported on arm64',
164 process.stderr)
165
166 def test_disable_cc_provisioning(self):
167 """The disable-cc-provisioning option disables commoncriteria repo."""
168 self.setup_cc(enabled=True)
169 other_auth = 'machine example.com login user password pass\n'
170 self.apt_auth_file.write_text(other_auth)
171 process = self.script('disable-cc-provisioning')
172 self.assertEqual(0, process.returncode)
173 self.assertFalse(self.cc_repo_list.exists())
174 # the keyring file is removed
175 keyring_file = self.trusted_gpg_dir / 'ubuntu-cc-keyring.gpg'
176 self.assertFalse(keyring_file.exists())
177 # credentials are removed
178 self.assertEqual(self.apt_auth_file.read_text(), other_auth)
179
180 def test_disable_cc_provisioning_fails_already_disabled(self):
181 """If commoncriteria repo is not enabled, disable fails."""
182 process = self.script('disable-cc-provisioning')
183 self.assertEqual(8, process.returncode)
184 self.assertIn(
185 'Canonical Common Criteria EAL2 Provisioning is not enabled\n',
186 process.stderr)
diff --git a/tests/test_cisaudit.py b/tests/test_cisaudit.py
0new file mode 100644187new file mode 100644
index 0000000..47b2784
--- /dev/null
+++ b/tests/test_cisaudit.py
@@ -0,0 +1,187 @@
1"""Tests for CISAudit-related commands."""
2
3from testing import UbuntuAdvantageTest
4
5
6class CISAUDITTest(UbuntuAdvantageTest):
7
8 SERIES = 'xenial'
9 ARCH = 'x86_64'
10
11 def setUp(self):
12 super().setUp()
13 self.setup_cisaudit()
14
15 def test_enable_cisaudit(self):
16 """The enable-cisaudit enables security benchmarks repository."""
17 process = self.script('enable-cisaudit', 'user:pass')
18 self.assertEqual(0, process.returncode)
19 self.assertIn(
20 'Ubuntu Security Benchmarks PPA repository enabled.',
21 process.stdout)
22 expected = (
23 'deb https://private-ppa.launchpad.net/ubuntu-advantage/'
24 'security-benchmarks/ubuntu xenial main\n'
25 '# deb-src https://private-ppa.launchpad.net/'
26 'ubuntu-advantage/security-benchmarks/ubuntu xenial main\n')
27 self.assertEqual(expected, self.cisaudit_repo_list.read_text())
28 self.assertEqual(
29 self.apt_auth_file.read_text(),
30 'machine private-ppa.launchpad.net/ubuntu-advantage/'
31 'security-benchmarks/ubuntu/'
32 ' login user password pass\n')
33 self.assertEqual(self.apt_auth_file.stat().st_mode, 0o100600)
34 cis_keyring = 'ubuntu-securitybenchmarks-keyring.gpg'
35 keyring_file = self.trusted_gpg_dir / cis_keyring
36 self.assertEqual('GPG key', keyring_file.read_text())
37 self.assertIn(
38 'Successfully installed the CIS audit tool.',
39 process.stdout)
40 # the apt-transport-https dependency is already installed
41 self.assertNotIn(
42 'Installing missing dependency apt-transport-https',
43 process.stdout)
44
45 def test_enable_cisaudit_auth_if_other_entries(self):
46 """Existing auth.conf entries are preserved."""
47 auth = 'machine example.com login user password pass\n'
48 self.apt_auth_file.write_text(auth)
49 process = self.script('enable-cisaudit', 'user:pass')
50 self.assertEqual(0, process.returncode)
51 self.assertIn(auth, self.apt_auth_file.read_text())
52
53 def test_enable_cisaudit_install_apt_transport_https(self):
54 """enable-cisaudit installs apt-transport-https if needed."""
55 self.apt_method_https.unlink()
56 process = self.script('enable-cisaudit', 'user:pass')
57 self.assertEqual(0, process.returncode)
58 self.assertIn(
59 'Installing missing dependency apt-transport-https',
60 process.stdout)
61
62 def test_enable_cisaudit_install_apt_transport_https_fails(self):
63 """Stderr is printed if apt-transport-https install fails."""
64 self.apt_method_https.unlink()
65 self.make_fake_binary('apt-get', command='echo failed >&2; false')
66 process = self.script('enable-cisaudit', 'user:pass')
67 self.assertEqual(1, process.returncode)
68 self.assertIn('failed', process.stderr)
69
70 def test_enable_cisaudit_install_ca_certificates(self):
71 """enable-cisaudit installs ca-certificates if needed."""
72 self.ca_certificates.unlink()
73 process = self.script('enable-cisaudit', 'user:pass')
74 self.assertEqual(0, process.returncode)
75 self.assertIn(
76 'Installing missing dependency ca-certificates',
77 process.stdout)
78
79 def test_enable_cisaudit_install_ca_certificates_fails(self):
80 """Stderr is printed if ca-certificates install fails."""
81 self.ca_certificates.unlink()
82 self.make_fake_binary('apt-get', command='echo failed >&2; false')
83 process = self.script('enable-cisaudit', 'user:pass')
84 self.assertEqual(1, process.returncode)
85 self.assertIn('failed', process.stderr)
86
87 def test_enable_cisaudit_missing_token(self):
88 """The token must be specified when using enable-cisaudit."""
89 process = self.script('enable-cisaudit')
90 self.assertEqual(3, process.returncode)
91 self.assertIn(
92 'Invalid token, it must be in the form "user:password"',
93 process.stderr)
94
95 def test_enable_cisaudit_invalid_token_format(self):
96 """The cisaudit token must be specified as "user:password"."""
97 process = self.script('enable-cisaudit', 'foo-bar')
98 self.assertEqual(3, process.returncode)
99 self.assertIn(
100 'Invalid token, it must be in the form "user:password"',
101 process.stderr)
102
103 def test_enable_cisaudit_invalid_token(self):
104 """If token is invalid, an error is returned."""
105 message = (
106 'E: Failed to fetch https://esm.ubuntu.com/'
107 ' 401 Unauthorized [IP: 1.2.3.4]')
108 self.make_fake_binary(
109 'apt-helper', command='echo "{}"; exit 1'.format(message))
110 process = self.script('enable-cisaudit', 'user:pass')
111 self.assertEqual(3, process.returncode)
112 self.assertIn('Checking token... ERROR', process.stdout)
113 self.assertIn('Invalid token', process.stderr)
114
115 def test_enable_cisaudit_error_checking_token(self):
116 """If token check fails, an error is returned."""
117 message = (
118 'E: Failed to fetch https://esm.ubuntu.com/'
119 ' 404 Not Found [IP: 1.2.3.4]')
120 self.make_fake_binary(
121 'apt-helper', command='echo "{}"; exit 1'.format(message))
122 process = self.script('enable-cisaudit', 'user:pass')
123 self.assertEqual(3, process.returncode)
124 self.assertIn('Checking token... ERROR', process.stdout)
125 self.assertIn(
126 'Failed checking token (404 Not Found [IP: 1.2.3.4])',
127 process.stderr)
128
129 def test_enable_cisaudit_skip_token_check_no_helper(self):
130 """If apt-helper is not found, the token check is skipped."""
131 self.apt_helper.unlink()
132 process = self.script('enable-cisaudit', 'user:pass')
133 self.assertEqual(0, process.returncode)
134 self.assertIn('Checking token... SKIPPED', process.stdout)
135
136 def test_enable_cisaudit_only_supported_on_xenial(self):
137 """The enable-cisaudit option fails if not on Xenial."""
138 self.SERIES = 'zesty'
139 process = self.script('enable-cisaudit', 'user:pass')
140 self.assertEqual(4, process.returncode)
141 self.assertIn(
142 'Sorry, but Canonical CIS Benchmark 16.04 '
143 'Audit Tool is not supported on zesty\n',
144 process.stderr)
145
146 def test_unsupported_on_i686(self):
147 """CISAudit is unsupported on i686 arch."""
148 self.ARCH = 'i686'
149 process = self.script('enable-cisaudit', 'user:pass')
150 self.assertEqual(7, process.returncode)
151 self.assertIn(
152 'Sorry, but Canonical CIS Benchmark 16.04 Audit Tool '
153 'is not supported on i686',
154 process.stderr)
155
156 def test_unsupported_on_arm64(self):
157 """CISAudit is unsupported on arm64 arch."""
158 self.ARCH = 'arm64'
159 process = self.script('enable-cisaudit', 'user:pass')
160 self.assertEqual(7, process.returncode)
161 self.assertIn(
162 'Sorry, but Canonical CIS Benchmark 16.04 Audit Tool '
163 'is not supported on arm64',
164 process.stderr)
165
166 def test_disable_cisaudit(self):
167 """The disable-cisaudit option disables security-benchmarks repo."""
168 self.setup_cisaudit(enabled=True)
169 other_auth = 'machine example.com login user password pass\n'
170 self.apt_auth_file.write_text(other_auth)
171 process = self.script('disable-cisaudit')
172 self.assertEqual(0, process.returncode)
173 self.assertFalse(self.cisaudit_repo_list.exists())
174 # the keyring file is removed
175 cis_keyring = 'ubuntu-securitybenchmarks-keyring.gpg'
176 keyring_file = self.trusted_gpg_dir / cis_keyring
177 self.assertFalse(keyring_file.exists())
178 # credentials are removed
179 self.assertEqual(self.apt_auth_file.read_text(), other_auth)
180
181 def test_disable_cisaudit_fails_already_disabled(self):
182 """If security-benchmarks repo is not enabled, disable fails."""
183 process = self.script('disable-cisaudit')
184 self.assertEqual(8, process.returncode)
185 self.assertIn(
186 'Canonical CIS Benchmark 16.04 Audit Tool is not enabled\n',
187 process.stderr)
diff --git a/tests/test_livepatch_motd.py b/tests/test_livepatch_motd.py
index c8beeda..a934f4c 100644
--- a/tests/test_livepatch_motd.py
+++ b/tests/test_livepatch_motd.py
@@ -9,6 +9,7 @@ from fakes import (
9 STATUS_CACHE_LIVEPATCH_ENABLED_NO_CONTENT,9 STATUS_CACHE_LIVEPATCH_ENABLED_NO_CONTENT,
10 STATUS_CACHE_LIVEPATCH_DISABLED_AVAILABLE,10 STATUS_CACHE_LIVEPATCH_DISABLED_AVAILABLE,
11 STATUS_CACHE_LIVEPATCH_DISABLED_UNAVAILABLE,11 STATUS_CACHE_LIVEPATCH_DISABLED_UNAVAILABLE,
12 STATUS_CACHE_LIVEPATCH_DISABLED_UNSUPPORTED,
12 STATUS_CACHE_MIXED_CONTENT)13 STATUS_CACHE_MIXED_CONTENT)
13from random import randrange14from random import randrange
1415
@@ -98,6 +99,19 @@ class LivepatchMOTDTest(UbuntuAdvantageTest):
98 self.assertEqual(0, process.returncode)99 self.assertEqual(0, process.returncode)
99 self.assertEqual('', process.stdout)100 self.assertEqual('', process.stdout)
100101
102 def test_disabled_unsupported(self):
103 """Livepatch is disabled and unsupported."""
104 self.KERNEL_VERSION = '4.15.0-1010-kvm'
105 self.ua_status_cache.write_text(
106 STATUS_CACHE_LIVEPATCH_DISABLED_UNSUPPORTED)
107 process = self.script()
108 self.assertEqual(0, process.returncode)
109 self.assertIn('Canonical Livepatch is installed but disabled',
110 process.stdout)
111 self.assertIn('Kernel {} is not supported (https://bit.ly/'
112 'livepatch-faq)'.format(self.KERNEL_VERSION),
113 process.stdout)
114
101 def test_other_state_fields_ignored(self):115 def test_other_state_fields_ignored(self):
102 """The MOTD script ignores *State fields not from livepatch."""116 """The MOTD script ignores *State fields not from livepatch."""
103 self.ua_status_cache.write_text(STATUS_CACHE_MIXED_CONTENT)117 self.ua_status_cache.write_text(STATUS_CACHE_MIXED_CONTENT)
diff --git a/tests/test_script.py b/tests/test_script.py
index 4e7da93..ec4be19 100644
--- a/tests/test_script.py
+++ b/tests/test_script.py
@@ -1,6 +1,7 @@
1"""Tests for the ubuntu-advantage script."""1"""Tests for the ubuntu-advantage script."""
22
3from testing import UbuntuAdvantageTest3from testing import UbuntuAdvantageTest
4from fakes import LIVEPATCH_UNSUPPORTED_KERNEL
45
56
6class UbuntuAdvantageScriptTest(UbuntuAdvantageTest):7class UbuntuAdvantageScriptTest(UbuntuAdvantageTest):
@@ -54,6 +55,14 @@ class UbuntuAdvantageScriptTest(UbuntuAdvantageTest):
54 self.assertIn("livepatch: disabled (not available)", process.stdout)55 self.assertIn("livepatch: disabled (not available)", process.stdout)
55 self.assertIn("esm: enabled", process.stdout)56 self.assertIn("esm: enabled", process.stdout)
5657
58 def test_livepatch_status_no_empty_line(self):
59 """The status output has no empty lines when livepatch is enabled."""
60 self.setup_livepatch(installed=True, enabled=True)
61 process = self.script('status', 'livepatch')
62 lines = process.stdout.split('\n')[:-1]
63 for line in lines:
64 self.assertNotEqual('', line.strip())
65
57 def test_status_xenial(self):66 def test_status_xenial(self):
58 """The status command shows only livepatch available on xenial."""67 """The status command shows only livepatch available on xenial."""
59 self.SERIES = 'xenial'68 self.SERIES = 'xenial'
@@ -91,6 +100,17 @@ class UbuntuAdvantageScriptTest(UbuntuAdvantageTest):
91 process = self.script('status', 'unknown')100 process = self.script('status', 'unknown')
92 self.assertEqual(process.returncode, 1)101 self.assertEqual(process.returncode, 1)
93102
103 def test_status_livepatch_unsupported_kernel(self):
104 """Livepatch is unavailable on an unsupported kernel."""
105 self.SERIES = 'xenial'
106 self.ARCH = 'x86_64'
107 self.setup_livepatch(
108 installed=True, enabled=False,
109 livepatch_command=LIVEPATCH_UNSUPPORTED_KERNEL)
110 process = self.script('status')
111 self.assertIn('livepatch: disabled (unsupported kernel)',
112 process.stdout)
113
94 def test_version(self):114 def test_version(self):
95 """The version command shows the package version."""115 """The version command shows the package version."""
96 self.make_fake_binary('dpkg-query', command='echo 123')116 self.make_fake_binary('dpkg-query', command='echo 123')
diff --git a/tests/testing.py b/tests/testing.py
index c684f48..17fc080 100644
--- a/tests/testing.py
+++ b/tests/testing.py
@@ -57,6 +57,8 @@ class UbuntuAdvantageTest(TestWithFixtures):
57 self.fips_repo_list = Path(self.tempdir.join('fips-repo.list'))57 self.fips_repo_list = Path(self.tempdir.join('fips-repo.list'))
58 self.fips_updates_repo_list = Path(58 self.fips_updates_repo_list = Path(
59 self.tempdir.join('fips-updates-repo.list'))59 self.tempdir.join('fips-updates-repo.list'))
60 self.cc_repo_list = Path(self.tempdir.join('cc-repo.list'))
61 self.cisaudit_repo_list = Path(self.tempdir.join('cisaudit-repo.list'))
60 self.fips_repo_preferences = Path(62 self.fips_repo_preferences = Path(
61 self.tempdir.join('preferences-fips'))63 self.tempdir.join('preferences-fips'))
62 self.fips_updates_repo_preferences = Path(64 self.fips_updates_repo_preferences = Path(
@@ -82,6 +84,9 @@ class UbuntuAdvantageTest(TestWithFixtures):
82 (self.keyrings_dir / 'ubuntu-fips-keyring.gpg').write_text('GPG key')84 (self.keyrings_dir / 'ubuntu-fips-keyring.gpg').write_text('GPG key')
83 (self.keyrings_dir / 'ubuntu-fips-updates-keyring.gpg').write_text(85 (self.keyrings_dir / 'ubuntu-fips-updates-keyring.gpg').write_text(
84 'GPG key')86 'GPG key')
87 (self.keyrings_dir / 'ubuntu-cc-keyring.gpg').write_text('GPG key')
88 (self.keyrings_dir /
89 'ubuntu-securitybenchmarks-keyring.gpg').write_text('GPG key')
85 self.cpuinfo.write_text('flags\t\t: fpu apic')90 self.cpuinfo.write_text('flags\t\t: fpu apic')
86 self.make_fake_binary('apt-get')91 self.make_fake_binary('apt-get')
87 self.make_fake_binary('apt-helper')92 self.make_fake_binary('apt-helper')
@@ -117,12 +122,14 @@ class UbuntuAdvantageTest(TestWithFixtures):
117 'ESM_REPO_LIST': str(self.esm_repo_list),122 'ESM_REPO_LIST': str(self.esm_repo_list),
118 'FIPS_REPO_LIST': str(self.fips_repo_list),123 'FIPS_REPO_LIST': str(self.fips_repo_list),
119 'FIPS_UPDATES_REPO_LIST': str(self.fips_updates_repo_list),124 'FIPS_UPDATES_REPO_LIST': str(self.fips_updates_repo_list),
125 'CC_PROVISIONING_REPO_LIST': str(self.cc_repo_list),
126 'CISAUDIT_REPO_LIST': str(self.cisaudit_repo_list),
120 'FIPS_BOOT_CFG': str(self.boot_cfg),127 'FIPS_BOOT_CFG': str(self.boot_cfg),
121 'FIPS_BOOT_CFG_DIR': str(self.etc_dir),128 'FIPS_BOOT_CFG_DIR': str(self.etc_dir),
122 'FIPS_ENABLED_FILE': str(self.fips_enabled_file),129 'FIPS_ENABLED_FILE': str(self.fips_enabled_file),
123 'FIPS_REPO_PREFERENCES': str(self.fips_repo_preferences),130 'FIPS_REPO_PREFERENCES': str(self.fips_repo_preferences),
124 'FIPS_UPDATES_REPO_PREFERENCES': str(131 'FIPS_UPDATES_REPO_PREFERENCES': str(
125 self.fips_updates_repo_preferences),132 self.fips_updates_repo_preferences),
126 'KEYRINGS_DIR': str(self.keyrings_dir),133 'KEYRINGS_DIR': str(self.keyrings_dir),
127 'APT_HELPER': str(self.apt_helper),134 'APT_HELPER': str(self.apt_helper),
128 'APT_AUTH_FILE': str(self.apt_auth_file),135 'APT_AUTH_FILE': str(self.apt_auth_file),
@@ -174,3 +181,21 @@ class UbuntuAdvantageTest(TestWithFixtures):
174 return181 return
175 self.make_fake_binary('dpkg-query')182 self.make_fake_binary('dpkg-query')
176 self.fips_enabled_file.write_text('1' if enabled else '0')183 self.fips_enabled_file.write_text('1' if enabled else '0')
184
185 def setup_cc(self, enabled=False):
186 """Setup the CC repository."""
187 if enabled is True:
188 self.make_fake_binary(
189 'dpkg-query', command='[ $2 = ubuntu-commoncriteria ]')
190 else:
191 self.make_fake_binary(
192 'dpkg-query', command='[ $2 != ubuntu-commoncriteria ]')
193
194 def setup_cisaudit(self, enabled=False):
195 """Setup the CISAudit repository."""
196 if enabled is True:
197 self.make_fake_binary(
198 'dpkg-query', command='[ $2 = ubuntu-cisbenchmark-16.04 ]')
199 else:
200 self.make_fake_binary(
201 'dpkg-query', command='[ $2 != ubuntu-cisbenchmark-16.04 ]')
diff --git a/ubuntu-advantage b/ubuntu-advantage
index 1ad03a5..19293f2 100755
--- a/ubuntu-advantage
+++ b/ubuntu-advantage
@@ -4,7 +4,7 @@
4SCRIPTNAME=$(basename "$0")4SCRIPTNAME=$(basename "$0")
55
6# Services managed by the script (in alphabetical order)6# Services managed by the script (in alphabetical order)
7SERVICES="esm fips livepatch"7SERVICES="cc-provisioning esm fips livepatch cisaudit"
88
9# system details9# system details
10SERIES=${SERIES:-$(lsb_release -cs)}10SERIES=${SERIES:-$(lsb_release -cs)}
@@ -41,13 +41,13 @@ print_status() {
41 local service="$1"41 local service="$1"
4242
43 local services="$SERVICES"43 local services="$SERVICES"
44 if [ "$service" ]; then44 if [ -n "$service" ]; then
45 name_in_list "$service" "$SERVICES" || error_exit invalid_command45 name_in_list "${service//_/-}" "$SERVICES" || error_exit invalid_command
46 services="$service"46 services="$service"
47 fi47 fi
4848
49 for service in $services; do49 for service in $services; do
50 service_print_status "$service"50 service_print_status "${service//-/_}"
51 done51 done
52}52}
5353
@@ -63,6 +63,8 @@ Currently available are:
63- Canonical FIPS 140-2 Certified Modules63- Canonical FIPS 140-2 Certified Modules
64- Canonical FIPS 140-2 Non-Certified Module Updates64- Canonical FIPS 140-2 Non-Certified Module Updates
65- Canonical Livepatch Service (https://www.ubuntu.com/server/livepatch)65- Canonical Livepatch Service (https://www.ubuntu.com/server/livepatch)
66- Canonical Common Criteria EAL2 certification artifacts provisioning
67- Canonical CIS Ubuntu Benchmark Audit tool
6668
67Commands:69Commands:
68 version show the tool version70 version show the tool version
@@ -70,16 +72,26 @@ Commands:
70 offerings (or of a specific one if provided)72 offerings (or of a specific one if provided)
71 enable-esm <TOKEN> enable the ESM repository73 enable-esm <TOKEN> enable the ESM repository
72 disable-esm disable the ESM repository74 disable-esm disable the ESM repository
73 enable-fips <TOKEN> enable the FIPS PPA repository and install,75 enable-fips <TOKEN> enable the FIPS repository and install,
74 configure and enable FIPS certified modules76 configure and enable FIPS certified modules
75 disable-fips currently not supported77 disable-fips currently not supported
76 enable-fips-updates <TOKEN> [-y] enable non-certified FIPS-UPDATES PPA78 enable-fips-updates <TOKEN> [-y] enable non-certified FIPS-UPDATES
77 repository and install updates. With an79 repository and install updates. With an
78 optional "-y" the user prompt will be80 optional "-y" the user prompt will be
79 bypassed.81 bypassed.
80 enable-livepatch <TOKEN> enable the Livepatch service82 enable-livepatch <TOKEN> enable the Livepatch service
81 disable-livepatch [-r] disable the Livepatch service. With "-r", the83 disable-livepatch [-r] disable the Livepatch service. With "-r", the
82 canonical-livepatch snap will also be removed84 canonical-livepatch snap will also be removed
85 enable-cc-provisioning <TOKEN> enable the commoncriteria repository and
86 install the ubuntu-commoncriteria DEB package
87 disable-cc-provisioning disable the commoncriteria repository and
88 remove the ubuntu-commoncriteria DEB package
89 enable-cisaudit <TOKEN> enable the security benchmarks repository
90 and install the ubuntu-cisbenchmark-16.04 DEB
91 package.
92 disable-cisaudit disable the security benchmarks repository
93 and uninstall the ubuntu-cisbenchmark-16.04 DEB
94 package.
83EOF95EOF
84 error_exit invalid_command96 error_exit invalid_command
85}97}
@@ -91,11 +103,15 @@ main() {
91 local service103 local service
92 service=$(service_from_command "$command")104 service=$(service_from_command "$command")
93 # if the command contains a service name, check that it's valid105 # if the command contains a service name, check that it's valid
94 if [ "$service" ] && ! name_in_list "$service" "$SERVICES" \106 if [ -n "$service" ] && ! name_in_list "$service" "$SERVICES" \
95 && [ "$service" != "fips-updates" ]; then107 && [ "$service" != "fips-updates" ]; then
96 error_msg "Invalid command: \"$command\""108 error_msg "Invalid command: \"$command\""
97 usage109 usage
98 fi110 fi
111 # replace -(hyphen) in service commands with _(underscore) (eg: cc-provisioning) to
112 # use in generic service function invocations. Adding it here so the name_in_list
113 # function call above uses the original command.
114 service=${service//-/_}
99115
100 case "$command" in116 case "$command" in
101 status)117 status)
diff --git a/ubuntu-advantage.1 b/ubuntu-advantage.1
index e86b85d..e53a774 100644
--- a/ubuntu-advantage.1
+++ b/ubuntu-advantage.1
@@ -86,8 +86,42 @@ https://ubuntu.com/livepatch
86.B86.B
87disable-livepatch \fR[\fB\-r\fR]87disable-livepatch \fR[\fB\-r\fR]
88Disable the Livepatch service. If the \fB\-r\fR option is given, the88Disable the Livepatch service. If the \fB\-r\fR option is given, the
89canonical-livepatch snap will be removed after the sevice is disabled.89canonical-livepatch snap will be removed after the service is disabled.
9090
91.SH CC (Canonical Common Critieria EAL2 Provisioning)
92Enable Common Criteria PPA and install Common Criteria EAL2 artifacts
93.TP
94.B
95enable-cc-provisioning \fItoken\fR
96Enables the Commoncriteria PPA repository, installs the ubuntu-commoncriteria
97package which has the common criteria artifacts. The artifacts include a
98configure script, a tarball with additional packages and post install scripts.
99The artifacts will be installed in /usr/lib/common-criteria directory. The
100evaluated configuration guide and README instructions on how to set up a
101system to be Common Criteria compliant are available in
102/usr/share/doc/ubuntu-commoncriteria directory.
103.TP
104.B
105disable-cc-provisioning
106Disables the commoncriteria PPA repository and removes the ubuntu-commoncriteria
107DEB package.
108.SH CIS (Canonical CIS Audit tooling)
109Enable CIS Auditing PPA and install CIS audit tool package
110.TP
111.B
112enable-cisaudit \fItoken\fR
113Enables the Security Benchmarks PPA, installs the ubuntu-cisbenchmark-16.04
114package which has the CIS Audit tooling files. They include the xccdf and xml
115files and scripts to check compliance against the CIS 16.04 benchmark. The
116files will be installed in
117/usr/share/ubuntu-securityguides/ubuntu-cisbenchmark-16.04.
118The documentation for the tool is available in
119/usr/share/doc/ubuntu-cisbenchmark-16.04.
120.TP
121.B
122disable-cisaudit
123Disables the security benchmarks PPA repository and removes the
124ubuntu-cisbenchmark-16.04 DEB package installed on the machine.
91.SH EXIT STATUS125.SH EXIT STATUS
92.TP126.TP
93.B127.B
diff --git a/update-motd.d/80-livepatch b/update-motd.d/80-livepatch
index de59bf1..ee09a73 100755
--- a/update-motd.d/80-livepatch
+++ b/update-motd.d/80-livepatch
@@ -2,6 +2,7 @@
22
3UA=${UA:-"/usr/bin/ubuntu-advantage"}3UA=${UA:-"/usr/bin/ubuntu-advantage"}
4UA_STATUS_CACHE=${UA_STATUS_CACHE:-"/var/cache/ubuntu-advantage-tools/ubuntu-advantage-status.cache"}4UA_STATUS_CACHE=${UA_STATUS_CACHE:-"/var/cache/ubuntu-advantage-tools/ubuntu-advantage-status.cache"}
5KERNEL_VERSION=${KERNEL_VERSION:-"$(uname -r)"}
56
6[ -x "$UA" ] || exit 07[ -x "$UA" ] || exit 0
78
@@ -73,6 +74,11 @@ case "$livepatch_status" in
73 "disabled (not available)")74 "disabled (not available)")
74 # do nothing75 # do nothing
75 ;;76 ;;
77 "disabled (unsupported kernel)")
78 echo
79 echo " * Canonical Livepatch is installed but disabled"
80 echo " - Kernel ${KERNEL_VERSION} is not supported (https://bit.ly/livepatch-faq)"
81 ;;
76 "enabled")82 "enabled")
77 echo83 echo
78 echo " * Canonical Livepatch is enabled."84 echo " * Canonical Livepatch is enabled."

Subscribers

People subscribed via source and target branches

to status/vote changes: