Ubuntu Pro Client

Note: The Ubuntu Advantage client or UA client has been renamed to the Ubuntu Pro client in line with the rebranding of Ubuntu Advantage to Ubuntu Pro. Specific commands have also been updated to refer to Ubuntu Pro rather than Ubuntu Advantage.

Accessing Pro Services

New to Ubuntu Pro? Do you want to make sure you are getting the most out of it?

This guide will help you to understand what is included in Ubuntu Pro and how to activate additional features.

What is the Ubuntu Pro client?

The Ubuntu Pro client tool is designed to help automate the enablement of Ubuntu Pro services. The Ubuntu Pro client is available for all Ubuntu LTS releases, but the specific services that are available will depend on the LTS release you are running. The client is pre-installed on most Ubuntu LTS releases and all Pro images in the major public clouds.

In this document we will cover the fundamentals of how to use the Pro client and show you how to use the pro enable command for activating the Ubuntu Pro services such as Expanded Security Maintenance (ESM), Kernel Livepatch, the CIS Benchmark tool, Common Criteria, and FIPS 140-2 certified crypto modules.

See https://ubuntu.com/pro for more details on the various Ubuntu Pro services.

What you’ll learn

You’ll learn how to get started with accessing the Ubuntu Pro services.

For Public Cloud Ubuntu Pro instances, the Ubuntu Pro client is preconfigured and many Ubuntu Pro services will be auto-enabled by default. You will learn how to use the Ubuntu Pro client to manage the Ubuntu Pro services.

What you’ll need

  • An Ubuntu Pro free token, monthly trial token or paid subscription token
  • A device with an installed and configured Ubuntu Desktop, Ubuntu Server or Ubuntu Pro image

Step 1: Installing the Ubuntu Pro client

We first need to make sure that we have the latest version of the Ubuntu Pro client running:

$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

To ensure that you are running the latest version of the Ubuntu Pro client, run:

$ pro version

You should have a version greater than or equal to 27.11.2. This version is currently being phased out to all of Ubuntu.

If you get “Command ‘pro’ not found” then you haven’t gotten the update yet. You can skip the phasing and get it early by running:

$ sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1

Step 2: Attaching your Token to an Ubuntu machine

Once you have checked that you are running the latest version of the Pro client, you need to attach the Ubuntu Pro token to your Ubuntu machine to gain access to the Ubuntu Pro services.

First we need to retrieve our Ubuntu Pro Token from our Ubuntu Pro Dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to create your free token, monthly trial token or paid subscription token.

The Ubuntu One account functions as a single-sign-on, so once logged in we can go straight to the Ubuntu Pro dashboard at http://ubuntu.com/pro. Then click on the ‘Machines’ column in the Subscriptions table to reveal your token.

Now we’re ready to attach our Ubuntu Pro token to the Ubuntu Pro client:

$ sudo pro attach <your_pro_token>

Updating package lists
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical livepatch enabled.
This machine is now attached to 'your contract here'

SERVICE ENTITLED STATUS DESCRIPTION

esm-infra yes enabled Expanded Security Maintenance for Infrastructure

livepatch yes enabled Canonical Livepatch service

Please note that Expanded Security Maintenance and Livepatch will auto-enable once your token has been attached to your machine.

After attaching your Token to a machine you can use the Ubuntu Pro client to activate most of the Ubuntu Pro services, including FIPS, USG for CIS or DISA STIG, and Common Criteria EAL2.

Step 3: Activating Ubuntu Pro Services

Expanded Security Maintenance (ESM)

LTS or ‘Long Term Support’ releases of Ubuntu are published every two year in April.

For each Ubuntu LTS release, Canonical is committed to ten years support for each Ubuntu LTS release. The Ubuntu lifecycle consists of an initial five-year maintenance period, during which maintenance updates are publicly available without an Ubuntu Pro subscription, and five years of Expanded Security Maintenance (ESM). For Ubuntu Pro customers, ESM provides fixes for high and critical CVEs for the most commonly used server packages in the Ubuntu Main and Universe repository.

ESM is automatically enabled during the pro attach command. For Public Cloud Ubuntu Pro customers, ESM-infra is pre-enabled on all Ubuntu Pro instances. If ESM-infra is not enabled, you can enable it with the following command:

$ sudo pro enable esm-infra

Your system may have indicated that it was up to date before enabling ESM. However, with the ESM repository enabled, you will likely see some number of new package updates available.

If you have cron jobs set to regularly install updates, or other unattended upgrade methods configured, be aware that after enabling ESM this will likely result in a number of packages getting updated from the ESM repository.

After enabling ESM the cached list of packages available needs to be updated. To do this run the following command.

$ sudo apt update

After running that command you should get a message saying that a number of packages have updates available. You can see what versions are available with the following:

$ sudo apt list --upgradable

Running apt upgrade will then allow you to install those available updates.

$ sudo apt upgrade

Kernel Livepatch

The Canonical Kernel Livepatch service is designed to help you maximize uptime without compromising on security. Livepatch automatically patches the Ubuntu Linux Kernel when high or critical CVE fixes have been applied to the Kernel, and Kernel only.

Livepatch does not apply standard updates, instead it patches vulnerabilities by injecting lines of code into the Ubuntu kernel as it runs. This has two main effects:

  1. You will still need to apply kernel security updates at least semi-regularly, but using Livepatch gives you the flexibility to apply those updates at a time that is convenient for you.
  2. You can expect to still receive alerts about available fixes for kernel vulnerabilities that Livepatch is already protecting you from. To see which CVEs Livepatch is protecting you from, you can run the following command:

$ canonical-livepatch status --verbose

Livepatch requires:

Livepatch is automatically enabled after attaching the Token to your machine. For Public Cloud Ubuntu Pro customers, Livepatch is pre-enabled on all Ubuntu Pro instances except for the Ubuntu Pro FIPS images.

Check whether Livepatch is enabled on your Ubuntu machine by running:

$ sudo pro status

If it is not enabled, you can enable it by running:

$ sudo pro enable livepatch

You should see output like the following, indicating that the Livepatch snap package has been installed.

One moment, checking your subscription first
    
Installing snapd

Updating package lists

Installing canonical-livepatch snap

Canonical livepatch enabled.

To check the status of Livepatch once it has been installed use this command

$ sudo canonical-livepatch status

Security Certifications (FIPS)

FIPS is supported on 16.04 ESM, 18.04 LTS, and 20.04 LTS. When enabling FIPS with the Ubuntu Pro client there are two options: FIPS and FIPS-updates. FIPS is the set of packages that were officially certified by NIST. These do not receive updates past the initial certification process.

FIPS-updates is a set of packages built to the same specification as those certified by NIST, but receive regular updates as High and Critical CVEs are patched for those packages. These packages should be FIPS compliant, but have not gone through the official certification process.

It is highly recommended to enable FIPS-updates rather than FIPS with the Ubuntu Pro client, unless you have a requirement for Strict FIPS in your environment as you can only utilize certified FIPS modules.

More information: https://ubuntu.com/security/certifications/docs/fips

For more information on other options and configurations around use of the Ubuntu Pro client, please refer to the documentation on GitHub here.

Ubuntu Security Guide

Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customizations. The following sections provide more information on hardening and auditing with usg.

For a quick start with Ubuntu Security Guide for CIS for DISA-STIG consider using this tutorial.

Proxy Configuration

The Ubuntu Pro client can be configured to use an http/https proxy as needed for network requests. In addition, the Ubuntu Pro client will automatically set up proxies for all programs required for enabling Ubuntu Pro services. This includes APT, Snaps, and Livepatch.

For a quick start with HTTP/HTTPS Proxies consider using the documentation on Github here.

2 Likes