forked from canonical/ubuntu-pro-client
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathubuntu-advantage.1
170 lines (162 loc) · 5.18 KB
/
ubuntu-advantage.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
.TH UBUNTU-ADVANTAGE 1 "28 April 2017" "" ""
.SH NAME
ubuntu-advantage \- Enable or disable Ubuntu Advantage offerings from
Canonical.
.SH SYNOPSIS
.B ubuntu-advantage
<command> [parameters]
.TP
.B ua
<command> [parameters]
.SH DESCRIPTION
This tool is used to enable or disable specific Ubuntu Advantage offerings
from Canonical. The available modules and their commands are described below.
It must be run with root privileges.
.TP
.B
status
Show the status of Ubuntu Advantage offerings.
.TP
.B
version
Show version.
.SH ESM (Extended Security Maintenance)
Ubuntu Extended Security Maintenance archive. See https://ubuntu.com/esm for
more information.
.TP
.B
enable-esm \fItoken\fR
Enable the ESM repository. The \fItoken\fR argument must be in the form
"user:password".
.TP
.B
disable-esm
Disable the ESM repository.
.SH FIPS (Canonical FIPS 140-2 certified modules)
Install, Configure, and Enable FIPS 140-2 certified modules.
.TP
.B
enable-fips \fItoken\fR
Enable the FIPS PPA repository, install the FIPS modules, configure
the bootloader and enable fips on the system. After successfully executing the
ubuntu-advantage script to enable fips, the system MUST be rebooted to
complete the enablement process. Failing to reboot will result in the system
not being fips enabled.
The \fItoken\fR argument must be in the form "user:password".
The following FIPS certified modules will be installed and put in fips mode;
openssh-server, openssh-client, strongswan, openssl, and the kernel
cryptoapi.
.TP
.B
disable-fips
It's currently not possible to disable FIPS after it has been enabled.
.TP
.B
enable-fips-updates \fItoken\fR [\fB\-y\fR]
Updating the FIPS modules will take the system out of FIPS compliance as the
updated modules are not FIPS certified. The option enables the FIPS-UPDATES
PPA repository and installs the updated FIPS modules. If the system is
installing FIPS modules for the first time, it configures FIPS on the
system. After successfully executing the ubuntu-advantage script to
update FIPS modules, the system MUST be rebooted if FIPS kernel was
upgraded in the upgrade process. Failing to reboot will result
in the system not running the updated FIPS kernel.
The \fItoken\fR argument must be in the form "user:password".
The \fB\-y\fR argument is optional to bypass the user prompt while
installing updates.
The following FIPS modules will be updated and put in FIPS mode -
openssh-server, openssh-client, strongswan, openssl, and the kernel
cryptoapi.
.SH Livepatch (Canonical Livepatch Service)
Managed live kernel patching. For more information, visit
https://www.ubuntu.com/server/livepatch
.TP
.B
enable-livepatch \fItoken\fR [\fB\-\-allow\-kernel\-change\fR]
Enable the Livepatch service. The \fItoken\fR can be obtained by visiting
https://ubuntu.com/livepatch. If a Livepatch incompatible kernel is running,
the installation will fail unless \fB\-\-allow\-kernel\-change\fR is given.
With this option, a Livepatch compatible kernel will be selected and installed
if needed.
.TP
.B
disable-livepatch \fR[\fB\-r\fR]
Disable the Livepatch service. If the \fB\-r\fR option is given, the
canonical-livepatch snap will be removed after the service is disabled.
.SH CC (Canonical Common Critieria EAL2 Provisioning)
Enable Common Criteria PPA and install Common Criteria EAL2 artifacts
.TP
.B
enable-cc-provisioning \fItoken\fR
Enables the Commoncriteria PPA repository, installs the ubuntu-commoncriteria
package which has the common criteria artifacts. The artifacts include a
configure script, a tarball with additional packages and post install scripts.
The artifacts will be installed in /usr/lib/common-criteria directory. The
evaluated configuration guide and README instructions on how to set up a
system to be Common Criteria compliant are available in
/usr/share/doc/ubuntu-commoncriteria directory.
.TP
.B
disable-cc-provisioning
Disables the commoncriteria PPA repository and removes the ubuntu-commoncriteria
DEB package.
.SH CIS (Canonical CIS Audit tooling)
Enable CIS Auditing PPA and install CIS audit tool package
.TP
.B
enable-cisaudit \fItoken\fR
Enables the Security Benchmarks PPA, installs the ubuntu-cisbenchmark-16.04
package which has the CIS Audit tooling files. They include the xccdf and xml
files and scripts to check compliance against the CIS 16.04 benchmark. The
files will be installed in
/usr/share/ubuntu-securityguides/ubuntu-cisbenchmark-16.04.
The documentation for the tool is available in
/usr/share/doc/ubuntu-cisbenchmark-16.04.
.TP
.B
disable-cisaudit
Disables the security benchmarks PPA repository and removes the
ubuntu-cisbenchmark-16.04 DEB package installed on the machine.
.SH EXIT STATUS
.TP
.B
0
Command succeded
.TP
.B
1
Invalid command or option
.TP
.B
2
Current user is not root
.TP
.B
3
Invalid or missing token when enabling a service
.TP
.B
4
The requested service is not supported on the current Ubuntu release
.TP
.B
5
Current kernel is too old to support Snaps (required for the Livepatch service)
.TP
.B
6
The requested service is already enabled
.TP
.B
7
The requested service is not supported on the current architecture
.TP
.B
8
The requested service is already disabled
.TP
.B
9
The running kernel does not support Livepatch
.TP
If apt commands run by the tool fail, the exit status from apt is returned.