How to enable CIS or USG¶
On Ubuntu 20.04 LTS (Focal) and later releases, CIS was
replaced by USG. If you are running Focal (or a later release) and
want to enable usg
, then select the USG tab below.
Make sure pro
is up-to-date¶
All systems come with pro
pre-installed through the
ubuntu-advantage-tools
package. To make sure that you’re running the latest
version of pro
, run the following commands:
sudo apt update && sudo apt install ubuntu-advantage-tools
Check the status of the services¶
After you have attached your subscription and
updated the ubuntu-advantage-tools
package, you can check which services
are enabled by running the following command:
pro status
This will show you which services are enabled or disabled on your machine (output truncated for brevity):
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
livepatch yes enabled Canonical Livepatch service
realtime-kernel yes disabled Ubuntu kernel with PREEMPT_RT patches integrated
Enable the service¶
To access the tooling, first enable the software repository as follows:
$ sudo pro enable cis
$ sudo pro enable usg
You should see output like the following, indicating that the package has been installed:
Updating CIS Audit package lists Updating standard Ubuntu package lists Installing CIS Audit packages CIS Audit enabled Visit https://ubuntu.com/security/cis to learn how to use CIS
Updating Ubuntu Security Guide package lists Ubuntu Security Guide enabled Visit https://ubuntu.com/security/certifications/docs/usg for the next steps
Once the feature is enabled you can follow the documentation for both the CIS and USG tooling, to run the provided hardening audit scripts.
Disable the service¶
If you wish to disable the service, you can use the following command:
$ sudo pro disable cis
$ sudo pro disable usg
You can verify that the service has been correctly disabled by once again
running the pro status
command.
Note that this command will only remove the APT sources, but not uninstall any of the packages installed with the service.
To purge the service, removing all APT packages installed with it, see how to disable and purge services. This does not remove any of your configuration, it only removes the packages.