How to enable CIS or USG

On Ubuntu 20.04 LTS (Focal) and later releases, CIS was replaced by USG. If you are running Focal (or a later release) and want to enable usg, then select the USG tab below.

Make sure pro is up-to-date

All systems come with pro pre-installed through the ubuntu-advantage-tools package. To make sure that you’re running the latest version of pro, run the following commands:

sudo apt update && sudo apt install ubuntu-advantage-tools

Check the status of the services

After you have attached your subscription and updated the ubuntu-advantage-tools package, you can check which services are enabled by running the following command:

pro status

This will show you which services are enabled or disabled on your machine (output truncated for brevity):

SERVICE          ENTITLED  STATUS    DESCRIPTION
esm-apps         yes       enabled   Expanded Security Maintenance for Applications
esm-infra        yes       enabled   Expanded Security Maintenance for Infrastructure
livepatch        yes       enabled   Canonical Livepatch service
realtime-kernel  yes       disabled  Ubuntu kernel with PREEMPT_RT patches integrated

Enable the service

To access the tooling, first enable the software repository as follows:

$ sudo pro enable cis
$ sudo pro enable usg

You should see output like the following, indicating that the package has been installed:

Updating CIS Audit package lists
Updating standard Ubuntu package lists
Installing CIS Audit packages
CIS Audit enabled
Visit https://ubuntu.com/security/cis to learn how to use CIS
Updating Ubuntu Security Guide package lists
Ubuntu Security Guide enabled
Visit https://ubuntu.com/security/certifications/docs/usg for the next steps

Once the feature is enabled you can follow the documentation for both the CIS and USG tooling, to run the provided hardening audit scripts.

Disable the service

If you wish to disable the service, you can use the following command:

$ sudo pro disable cis
$ sudo pro disable usg

You can verify that the service has been correctly disabled by once again running the pro status command.

Note that this command will only remove the APT sources, but not uninstall any of the packages installed with the service.

To purge the service, removing all APT packages installed with it, see how to disable and purge services. This does not remove any of your configuration, it only removes the packages.