Deep dive on the security and compliance features available in Ubuntu Pro
In case you’re asking yourself “Ok! I deployed Ubuntu Pro, what now?”, this article will do a deep dive on the security and compliance features available in Ubuntu Pro, such as FIPS, CIS, Open source security, 10-year lifetime and Livepatch.
What is Ubuntu Pro really?
One thing to know is that Ubuntu Pro is just like your regular Ubuntu LTS, but with added security features added on top of it. Whatever workload you had running on Ubuntu LTS, you’ll be able to run its equivalent in Ubuntu Pro.
Therefore Ubuntu Pro is perfect for users wanting to get a few more years of security patches on top of their end of life Ubuntu 16.04, or for those looking to get FIPS compliance or CIS hardening, etc. You can look at the other articles of my blog for ideas on how to use and consume Ubuntu Pro.
About the pricing
Another thing to know is that Ubuntu Pro is a premium image and applies a small extra cost to your instance cost. The Canonical website says:
Ubuntu Pro pricing tracks the underlying compute cost, starting at under $0.01 for the smallest B1ls instance type, and ramping down to less than 1% of hourly compute.
Pricing details are included inside the description of the image on the Azure Marketplace directly.
Launching Ubuntu Pro
The first step is to launch an Ubuntu Pro instance. For this article, I’ll be mostly using the latest Ubuntu Pro 18.04 LTS image available on the Azure marketplace, as of May 11th 2021. If you want to follow along, just make sure you have an Azure account and click on that link to launch it yourself.
Once you have an Ubuntu Pro instance launched, SSH to your instance and let’s explore the features. Remember that this article was written with Ubuntu Pro 18.04 in mind and other releases of Ubuntu Pro might have a small delta in the set of features available.
Note about the version of the UA client
Some of the features and commands described in this article require a recent version of the UA client. Make sure you have version 26.2 or above before proceeding (I recommend version 27+):
$ ua version
27.0~18.04.1
If you don’t have a recent version, update your ubuntu-advantage-tools package:
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools
If you still don’t get version 26.2+ from that command, consider adding the UA Client Stable PPA to your system and grab the more recent package from there:
$ sudo add-apt-repository ppa:ua-client/stable
$ sudo apt-get update
$ sudo apt install ubuntu-advantage-tools
If you do add the PPA, you might want to remove it after installing the new UA tools packages, otherwise you might be pulling newer versions of the UA tools in the future that you might not really want:
# optional
$ sudo add-apt-repository --remove ppa:ua-client/stable
Eventually all images of Ubuntu Pro will include a more recent version of the UA client, but for now these steps may be necessary until the versions get synchronized in all the releases of Ubuntu and get included in the Pro images on the public clouds.
Looking at the available features
The first thing you’ll want to do is take a look at the available security features. To do that, just run ua status.
$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes enabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: <redacted>
Subscription: <redacted>
Valid until: 9999-12-31 00:00:00
Technical support level: essential
Another cool trick is to use sudo ua status --wait to wait for the status of UA to be stabilized after you launch your Pro instance for the first time:
$ sudo ua status --wait
This can be helpful because it takes about a minute for the auto-attach of the UA client to do its thing after you launch an instance:
$ ua auto-attach --help
usage: ua auto-attach [flags]
Automatically attach an Ubuntu Advantage token on Ubuntu Pro images.
So back to the features, here are the available features in Ubuntu Pro 18.04:
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes enabled Canonical Livepatch service
If you use the --all flag, you can even see more beta features, such as CIS:
$ ua status --all
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes enabled Canonical Livepatch service
So now let’s go through some of them and see how we can use them.
FIPS
There are 2 lines in ua status for FIPS:
$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
The difference is that fips-updates will include security patches against CVEs, at the cost of making the packages no longer FIPS certified. This is explained in better detail in the Ubuntu blog article FIPS 140-2: Stay compliant and secure with Canonical.
The TL;DR is:
If you work for a federal government department that collects, stores, transfers and shares sensitive but unclassified information, it’s likely that you’re required to use FIPS Certified modules without any modifications. In other cases – we recommend using FIPS Certified modules that include all security patches. We call it Ubuntu FIPS Compliant.
For this example, I’ll go ahead and use the FIPS Compliant (but not certified) fips-updates feature.
Note that Canonical offers FIPS certified out-of-the-box images on AWS and Azure. Those images come pre-installed with the FIPS certified modules and kernel installed, which lets you skip the step of enabling FIPS yourself. However if you prefer to use the FIPS compliant fips-updates feature, then I recommend you start with regular Ubuntu Pro and enable fips-updates yourself.
So let’s go ahead and enable fips-updates:
$ sudo ua enable fips-updates
One moment, checking your subscription first
This system will NOT be considered FIPS certified, but will include security
and bug fixes to the FIPS packages.
Are you sure? (y/N) y
FIPS Updates cannot be enabled with Livepatch.
Disable Livepatch and proceed to enable FIPS Updates? (y/N)y
Disabling incompatible service: Livepatch
Updating package lists
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install.
You’ll notice two prompts in the above output. The first one is a warning that fips-updates is not considered FIPS certified, but will include security and bug fixes, just like I explained above.
The second prompt is telling you that you have to disable Livepatch in order to enable fips/fips-updates. This is because the kernel livepatches are built for specific kernels and the fips kernels are not part of them. More on livepatch later in this article.
The last line in the output above says we need to reboot to enable fips, so make sure to reboot your instance before continuing.
Once your instance is rebooted, SSH back in and here is how you can verify that FIPS is running:
$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
...
fips-updates yes enabled Uncertified security updates to FIPS modules
...
$ uname -a
Linux bionicpro2021-05-11-12-06-48 4.15.0-2026-azure-fips #29-Ubuntu SMP Thu Apr 22 22:36:02 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ cat /proc/sys/crypto/fips_enabled
1
Notice in the output above that fips-updates is now enabled and we can see that we’re now running the kernel 4.15.0-2026-azure-fips. We also check that cat /proc/sys/crypto/fips_enabled returns 1 to confirm that FIPS is enabled on this system.
From there, it’s up to you to use workloads that can benefit from these FIPS kernel and modules. You can see the list of fips packages that were installed by running:
$ dpkg -l | grep -i fips
ii fips-initramfs 0.0.10 amd64 FIPS 140-2 kernel tests
ii kcapi-tools 1.0.3-2fips3 amd64 Command-line tools for Linux Kernel Crypto API
ii libgcrypt20:amd64 1.8.1-4ubuntu1.fips.2.5 amd64 LGPL Crypto library - runtime library
ii libgcrypt20-hmac:amd64 1.8.1-4ubuntu1.fips.2.5 amd64 FIPS HMAC integrity check files for libgcrypt20 library.
ii libkcapi1:amd64 1.0.3-2fips3 amd64 Linux Kernel Crypto API User Space Interface Library
ii libssl1.1:amd64 1.1.1-1ubuntu2.fips.2.1~18.04.9.1 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1-hmac:amd64 1.1.1-1ubuntu2.fips.2.1~18.04.9.1 amd64 Secure Sockets Layer toolkit - FIPS HMAC integrity check
ii linux-azure-fips 4.15.0.2026.27 amd64 Complete Linux kernel for Azure systems.
ii linux-azure-fips-cloud-tools-4.15.0-2026 4.15.0-2026.29 amd64 Linux kernel version specific cloud tools for version 4.15.0-2026
ii linux-azure-fips-headers-4.15.0-2026 4.15.0-2026.29 all Header files related to Linux kernel version 4.15.0
ii linux-azure-fips-tools-4.15.0-2026 4.15.0-2026.29 amd64 Linux kernel version specific tools for version 4.15.0-2026
ii linux-cloud-tools-4.15.0-2026-azure-fips 4.15.0-2026.29 amd64 Linux kernel version specific cloud tools for version 4.15.0-2026
ii linux-cloud-tools-azure-fips 4.15.0.2026.27 amd64 Linux kernel versioned cloud tools for Azure systems.
ii linux-headers-4.15.0-2026-azure-fips 4.15.0-2026.29 amd64 Linux kernel headers for version 4.15.0 on 64 bit x86 SMP
ii linux-headers-azure-fips 4.15.0.2026.27 amd64 Linux kernel headers for Azure systems.
ii linux-image-4.15.0-2026-azure-fips 4.15.0-2026.29 amd64 Signed kernel image azure-fips
ii linux-image-azure-fips 4.15.0.2026.27 amd64 Linux kernel image for Azure systems.
ii linux-image-hmac-4.15.0-2026-azure-fips 4.15.0-2026.29 amd64 HMAC file for linux kernel image for version 4.15.0-2026
ii linux-modules-4.15.0-2026-azure-fips 4.15.0-2026.29 amd64 Linux kernel extra modules for version 4.15.0 on 64 bit x86 SMP
ii linux-tools-4.15.0-2026-azure-fips 4.15.0-2026.29 amd64 Linux kernel version specific tools for version 4.15.0-2026
ii linux-tools-azure-fips 4.15.0.2026.27 amd64 Linux kernel versioned tools for Azure systems.
ii openssh-client 1:7.9p1-10~ubuntu18.04.fips.0.2 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-client-hmac:amd64 1:7.9p1-10~ubuntu18.04.fips.0.2 amd64 FIPS HMAC integrity check files for secure shell (SSH) client.
ii openssh-server 1:7.9p1-10~ubuntu18.04.fips.0.2 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-server-hmac:amd64 1:7.9p1-10~ubuntu18.04.fips.0.2 amd64 FIPS HMAC integrity check files for secure shell (SSH) server.
ii openssh-sftp-server 1:7.9p1-10~ubuntu18.04.fips.0.2 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
ii openssl 1.1.1-1ubuntu2.fips.2.1~18.04.9.1 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii ubuntu-azure-fips 1.1.4+updates1 amd64 Install and configure linux-azure-fips kernel and user space modules
CIS
As of this writing, CIS shows up in the beta features of the UA client:
$ ua status --all
SERVICE ENTITLED STATUS DESCRIPTION
...
cis yes disabled Center for Internet Security Audit Tools
...
You can enable it by using the --beta flag. I am doing this on a fresh new Ubuntu 18.04 Pro instance:
$ sudo ua enable cis --beta
One moment, checking your subscription first
Updating package lists
Installing CIS Audit packages
CIS Audit enabled
This step does not harden your system. It simply installs the CIS tooling from Canonical:
$ dpkg -l | grep usg
ii usg-cisbenchmark 18.04.17 all SCAP content for CIS Ubuntu Benchmarks
ii usg-common 18.04.17 all The CPE files for Ubuntu SCAP Content
You’ll want to follow the instructions from the Ubuntu Security Certifications Documentation website to run the CIS hardening and audit.
Here is the TL;DR. You can harden your Ubuntu 18.04 server with the level 1 server profile with the following:
$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh lvl1_server
Understand that this will make modifications to your system to bring it in line as much as possible with the CIS level 1 server profile. Run this script in a lab environment first as this might make your workloads unusable due to the security hardening. You may have to customise a few rules to make this fit your environment.
Once the CIS level 1 server hardening has completed, you can do an audit with the included CIS auditing tool:
$ sudo cis-audit level1_server
Title Ensure mounting of cramfs filesystems is disabled
Rule xccdf_com.ubuntu.bionic.cis_rule_CIS-1.1.1.1
Result pass
Title Ensure mounting of freevxfs filesystems is disabled
Rule xccdf_com.ubuntu.bionic.cis_rule_CIS-1.1.1.2
Result pass
[...]
CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-security-guides/cis-18.04-report.html report.
This will generate an HTML report that you consult for your CIS score. Refer to my other article about CIS scoring comparison for screenshots.
Open source security
The next item we’re going to look at is the Open source security feature. This item corresponds to the esm-apps line in ua status:
$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
...
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
...
This line corresponds to the extra esm.ubuntu.com/apps package repository that you see when you run apt update:
$ sudo apt update
...
Get:6 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security InRelease [7612 B]
Get:7 https://esm.ubuntu.com/apps/ubuntu bionic-apps-updates InRelease [7524 B]
...
Fetched 119 kB in 2s (48.8 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
25 packages can be upgraded. Run 'apt list --upgradable' to see them.
This repository contains patches from packages in universe and more. You can see that repository in action if you try to install Kafka on Ubuntu Pro. You can run apt-cache policy to see that it would pull the package from that repo:
ubuntu@bionicpro2021-05-11-12-06-48:~$ apt-cache policy kafka
kafka:
Installed: (none)
Candidate: 2.2.2u1-0ubuntu1+esm2
Version table:
2.2.2u1-0ubuntu1+esm2 500
500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security/main amd64 Packages
This feature hasn’t been much advertised by Canonical yet, so that’s all we will cover for now.
10-year lifetime
The next one is the “10-year lifetime” feature. The Ubuntu Pro for Azure page says:
Canonical backs Ubuntu Pro for 10 years*, ensuring security updates are available throughout, with a guaranteed upgrade path.
There’s an asterisk that says:
For 18.04 LTS onwards. The maintenance period for Ubuntu Pro 14.04 LTS and 16.04 LTS is 8 years.
This item corresponds to the esm-infra line in ua status:
$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
...
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
...
This line corresponds to the extra esm.ubuntu.com/infra package repository that you see when you run apt update:
$ sudo apt update
...
Hit:8 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security InRelease
Hit:9 https://esm.ubuntu.com/infra/ubuntu bionic-infra-updates InRelease
...
This feature allows you to continue to receive security updates for the Ubuntu base OS, critical software packages and infrastructure components after that release of Ubuntu has reached the ESM period (previously called EOL or End Of Life).
Depending upon the LTS release, ESM provides three to five additional years of security maintenance. It provides security maintenance for high and critical CVEs for the entire collection of software packages shipped with Ubuntu.
Refer to the Ubuntu lifecycle and release cadence page to better understand the time periods when an Ubuntu release reaches ESM. Here’s a partial image from that page:
Notice how the purple periods represent ESM. You start getting benefits from this Ubuntu Pro feature only when the release reaches ESM. So if you’re running workloads on Ubuntu 16.04 LTS today, consider switching to Ubuntu Pro to continue to receive security updates. More details on the Extended Security Maintenance webpage.
You can get a more in-depth exploration of this feature in my other blog article How to get ESM in Auto Scaling groups in AWS with Ubuntu Pro 16.04.
Livepatch
I already cover this in depth in my article Kernel Livepatch in Ubuntu Pro 20.04, but here is a part of that article just to keep everything on one page here.
With Canonical’s Livepatch service, kernel patches are delivered immediately without the need to reboot your VMs.
That article was written with Ubuntu Pro 20.04 as the example. On the instance, check the kernel version:
ubuntu@focalpro:~$ uname -a
Linux focalpro 5.4.0-1012-azure #12-Ubuntu SMP Mon May 11 13:30:06 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
For this example, I downgraded by kernel version on purpose to be vulnerable against certain CVEs.
You can run canonical-livepatch status (I like to specify --format yaml to get more output) to see the status of livepatch. It’s possible that you won’t see any live patches if you launched a recent image of Ubuntu Pro.
Look at the status of livepatch:
ubuntu@focalpro:~$ canonical-livepatch status
last check: 52 seconds ago
kernel: 5.4.0-1012.12-azure
server check-in: succeeded
patch state: ✓ all applicable livepatch modules inserted
patch version: 75.2
ubuntu@focalpro:~$ canonical-livepatch status --format yaml
client-version: 9.5.5
architecture: x86_64
cpu-model: Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz
last-check: 2021-04-08T17:41:06Z
boot-time: 2021-04-08T17:40:46Z
uptime: 1m0s
status:
- kernel: 5.4.0-1012.12-azure
running: true
livepatch:
checkState: checked
patchState: applied
version: "75.2"
fixes: |-
* CVE-2013-1798
* CVE-2019-0155
* CVE-2019-0155: LP: #1852141
* CVE-2019-14615
* CVE-2019-14895
* CVE-2019-14896
* CVE-2019-14897
* CVE-2019-14901
* CVE-2019-18885
* CVE-2019-19642
* CVE-2019-20096
* CVE-2019-3016
* CVE-2020-10757
* CVE-2020-11494
* CVE-2020-11935
* CVE-2020-12114
* CVE-2020-12351
* CVE-2020-12352
* CVE-2020-14386
* CVE-2020-14416
* CVE-2020-16119
* CVE-2020-16120
* CVE-2020-24490
* CVE-2020-27170
* CVE-2020-27171
* CVE-2020-2732
* CVE-2020-28374
* CVE-2020-8647
* CVE-2020-8648
* CVE-2020-8649
* CVE-2021-27363
* CVE-2021-27364
* CVE-2021-27365
* CVE-2021-3444
We can see that we’re running the version 75.2 of the livepatch bundle, which corresponds to the latest livepatch security notice in the USN mailing list. This bundle protects this kernel from 33 CVEs.
That mailing list is where you can find the information about each individual livepatch. If you start from the Ubuntu security announce mailing list archive, you can click on each month (I like to use the Date indices) and find the notices that have LSN instead of USN.
Conclusion
Hopefully this covers the essentials on the features that make up Ubuntu Pro. Ubuntu Pro on AWS and Azure (and now on Google Cloud too!) comes with Livepatch and ESM enabled out of the box, with extra security features you can enable with just one command. Check out my other articles to find more about Ubuntu Pro:
- CIS scoring comparison of the Ubuntu 16.04, 18.04 and 20.04 AMIs from CIS compared to Ubuntu Pro on AWS
- How to build an Ubuntu Pro golden image in GCP with Packer
- How to build an Ubuntu Pro golden image in AWS with Packer
- How to use Ubuntu Pro programmatically in AWS and Azure
- How to get ESM in Auto Scaling groups in AWS with Ubuntu Pro 16.04
- How to use Azure Pipelines with a self-hosted agent running Ubuntu Pro 18.04
- Create an Ubuntu Pro VM with infrastructure in Azure using Terraform