With the standard LTS version of Ubuntu, you may see that there are extra updates available when you perform an update. To get these extra patches, you need Ubuntu Pro.
Ubuntu Pro provides more security patches than regular Ubuntu. You can only receive security patches for 5 years from the release date, but with Pro, you get 10 years of updates from the release date.
On an LTS version, you see the extra files you can get if you have Pro. This can be annoying, so let's look at how to disable these messages.
Disable Pro Updates
For most users, they do not use or need the Pro version of Ubuntu. The main item about the Pro version is the ability to download more security updates.
The message, to me, is basically that there are more updates available, but I can't have them with LTS.
There is a package installed on Ubuntu systems, clients, and servers, that checks for the Pro subscription.
To remove the packages to stop checking for Pro, execute:
sudo apt -y --purge remove ubuntu-advantage-tools
Once done, you shouldn't see the Pro messages anymore.
Enabling Pro
If you want to enable the Pro Subscription, you can pay for the membership, or get it free for up to 5 machines if you have an account on Ubuntu One (which is free). Go to 'https://login.ubuntu.com' and set up an account, or login.
Once logged in, you can check your Subscriptions and see your information, as shown in Figure 1. At the bottom right, just cut off from the Figure, is the 30-digit token. This is what you use to enable Pro.
FIGURE 1
Before you enable Pro, be sure to update and upgrade your software:
sudo apt update && sudo apt upgrade -y
To enable the Subscription, perform the command on the server:
sudo pro attach <token>
After this, you should be shown a list of services to be restarted, as in Figure 2.
FIGURE 2
Click on '<OK>' to let the selected services be restarted. Once the process is done, you should see 'Subscription: Ubuntu Pro' shown at the end of the output. If you are using a free subscription, it should also include a ' - free personal subscription'.
NOTE: The command 'sudo pro attach <token>' may need to be run twice.
Now, if you execute the command 'sudo apt update', it should include repositories from 'esm.ubuntu.com'. The ESM is the Expanded Security Maintenance, included in Pro.
Livepatch
Livepatch is a way for an Ubuntu system to download security patches for the kernel and apply the patches without a reboot. The kernel is patched in memory, and the copy on the physical drive will be updated during the next reboot.
A good way to tell if your subscription is properly enabled is to run the command 'sudo pro status'. The server will check the subscription status and give you information on services that are enabled or disabled.
By default, Livepatch should be started automatically when Pro is enabled.
You can also check the status of the Pro Services with the command 'sudo ua status'. You should see something similar to Figure 3.
FIGURE 3
On a client system or Ubuntu Desktop, you can enable Livepatch. Another Pro subscription is needed and added to the client system. You can run the command 'sudo pro status' on a Desktop to check the status. You can install Livepatch with the command 'sudo snap install canonical-livepatch'. The status of Livepatch can be determined with the command 'canonical-livepatch status'.
To attach the client system to the subscription, use the command 'sudo canonical-livepatch enable <token>'. Once connected to the subscription, the service may need to be started with the command 'sudo snap start --enable canonical-livepatch'. Before you start the service, you can check the status to determine if you need to enable the service.
ESM
The Expanded Security Maintenance (ESM) is enabled with Pro by default. ESM provides access to PPAs that allow the download of Common Vulnerabilities and Exposures (CVEs). These updates will 'fix' any issues that exist with installed packages. The CVE packages are downloaded from the ESM repositories that are added when updated to Pro.
To find out if you have any vulnerable packages, check out the website 'https://ubuntu.com/security/cves?q=&package=&priority=&version=&status='. Search for the packages you have installed and see what is found.
If you use the command 'sudo pro security-status', you will see in Figure 4, that my machine lists 4 security updates.
FIGURE 4
To see what security patches are installed, use the command 'sudo pro security-status --esm-apps'. The output will show you what files are covered.
Real-Time Kernel
The Real-Time Kernel allows for the scheduling of running tasks. Deadlines can be set to allow a specific task to get more processor time so it finishes its tasks before the set time.
If you use a real-time kernel, you cannot use Livepatch. If you enable the real-time kernel, with the command 'sudo pro enable realtime-kernel'. You'll need to press 'y' and then click Enter to disable Livepatch and enable the Real-Time Kernel.
The system will then ask you to verify that you want to continue. If you continue, your kernel will be replaced and then the system will need to be rebooted. You will need to reboot it yourself, it is not rebooted after the change is made. It also informs you to revert to Livepatch, you need to do it manually.
You can run 'sudo pro status' to see that the 'realtime-kernel' is enabled.
NOTE: Keep in mind that you can either use Livepatch or a real-time kernel, but not both.
Ubuntu Security Guide (USG)
The USG is a tool that helps harden the security and auditing of a system. Once you create a Pro system, you can install USG with the command 'sudo pro enable usg'.
You need to install the necessary packages with the command 'sudo apt install usg -y'.
To generate a base file, use the command 'sudo usg generate-tailoring cis_level1_server tailor.xml'. The command creates an XML file in the local folder that can be edited and moved to '/usr/share/ubuntu-scap-security-guides/current.tailoring/cis_level1_server-tailoring.xml'.
You can edit the security file, but you'll need elevated privileges. To use the file as your standard, perform the command 'usg audit --tailoring-file tailor.xml '. If you change any entries, such as from 'true' to 'false', run the command to issue your new preferences.
Conclusion
Try the Pro version, if you like. See about the added abilities.
Most users see 'LivePatch' and the like in some of the commands and documentation, but may never actually try it.
Ubuntu Pro provides more security patches than regular Ubuntu. You can only receive security patches for 5 years from the release date, but with Pro, you get 10 years of updates from the release date.
On an LTS version, you see the extra files you can get if you have Pro. This can be annoying, so let's look at how to disable these messages.
Disable Pro Updates
For most users, they do not use or need the Pro version of Ubuntu. The main item about the Pro version is the ability to download more security updates.
The message, to me, is basically that there are more updates available, but I can't have them with LTS.
There is a package installed on Ubuntu systems, clients, and servers, that checks for the Pro subscription.
To remove the packages to stop checking for Pro, execute:
sudo apt -y --purge remove ubuntu-advantage-tools
Once done, you shouldn't see the Pro messages anymore.
Enabling Pro
If you want to enable the Pro Subscription, you can pay for the membership, or get it free for up to 5 machines if you have an account on Ubuntu One (which is free). Go to 'https://login.ubuntu.com' and set up an account, or login.
Once logged in, you can check your Subscriptions and see your information, as shown in Figure 1. At the bottom right, just cut off from the Figure, is the 30-digit token. This is what you use to enable Pro.
FIGURE 1
Before you enable Pro, be sure to update and upgrade your software:
sudo apt update && sudo apt upgrade -y
To enable the Subscription, perform the command on the server:
sudo pro attach <token>
After this, you should be shown a list of services to be restarted, as in Figure 2.
FIGURE 2
Click on '<OK>' to let the selected services be restarted. Once the process is done, you should see 'Subscription: Ubuntu Pro' shown at the end of the output. If you are using a free subscription, it should also include a ' - free personal subscription'.
NOTE: The command 'sudo pro attach <token>' may need to be run twice.
Now, if you execute the command 'sudo apt update', it should include repositories from 'esm.ubuntu.com'. The ESM is the Expanded Security Maintenance, included in Pro.
Livepatch
Livepatch is a way for an Ubuntu system to download security patches for the kernel and apply the patches without a reboot. The kernel is patched in memory, and the copy on the physical drive will be updated during the next reboot.
A good way to tell if your subscription is properly enabled is to run the command 'sudo pro status'. The server will check the subscription status and give you information on services that are enabled or disabled.
By default, Livepatch should be started automatically when Pro is enabled.
You can also check the status of the Pro Services with the command 'sudo ua status'. You should see something similar to Figure 3.
FIGURE 3
On a client system or Ubuntu Desktop, you can enable Livepatch. Another Pro subscription is needed and added to the client system. You can run the command 'sudo pro status' on a Desktop to check the status. You can install Livepatch with the command 'sudo snap install canonical-livepatch'. The status of Livepatch can be determined with the command 'canonical-livepatch status'.
To attach the client system to the subscription, use the command 'sudo canonical-livepatch enable <token>'. Once connected to the subscription, the service may need to be started with the command 'sudo snap start --enable canonical-livepatch'. Before you start the service, you can check the status to determine if you need to enable the service.
ESM
The Expanded Security Maintenance (ESM) is enabled with Pro by default. ESM provides access to PPAs that allow the download of Common Vulnerabilities and Exposures (CVEs). These updates will 'fix' any issues that exist with installed packages. The CVE packages are downloaded from the ESM repositories that are added when updated to Pro.
To find out if you have any vulnerable packages, check out the website 'https://ubuntu.com/security/cves?q=&package=&priority=&version=&status='. Search for the packages you have installed and see what is found.
If you use the command 'sudo pro security-status', you will see in Figure 4, that my machine lists 4 security updates.
FIGURE 4
To see what security patches are installed, use the command 'sudo pro security-status --esm-apps'. The output will show you what files are covered.
Real-Time Kernel
The Real-Time Kernel allows for the scheduling of running tasks. Deadlines can be set to allow a specific task to get more processor time so it finishes its tasks before the set time.
If you use a real-time kernel, you cannot use Livepatch. If you enable the real-time kernel, with the command 'sudo pro enable realtime-kernel'. You'll need to press 'y' and then click Enter to disable Livepatch and enable the Real-Time Kernel.
The system will then ask you to verify that you want to continue. If you continue, your kernel will be replaced and then the system will need to be rebooted. You will need to reboot it yourself, it is not rebooted after the change is made. It also informs you to revert to Livepatch, you need to do it manually.
You can run 'sudo pro status' to see that the 'realtime-kernel' is enabled.
NOTE: Keep in mind that you can either use Livepatch or a real-time kernel, but not both.
Ubuntu Security Guide (USG)
The USG is a tool that helps harden the security and auditing of a system. Once you create a Pro system, you can install USG with the command 'sudo pro enable usg'.
You need to install the necessary packages with the command 'sudo apt install usg -y'.
To generate a base file, use the command 'sudo usg generate-tailoring cis_level1_server tailor.xml'. The command creates an XML file in the local folder that can be edited and moved to '/usr/share/ubuntu-scap-security-guides/current.tailoring/cis_level1_server-tailoring.xml'.
You can edit the security file, but you'll need elevated privileges. To use the file as your standard, perform the command 'usg audit --tailoring-file tailor.xml '. If you change any entries, such as from 'true' to 'false', run the command to issue your new preferences.
Conclusion
Try the Pro version, if you like. See about the added abilities.
Most users see 'LivePatch' and the like in some of the commands and documentation, but may never actually try it.
