What does security-status do?#
The security-status command provides an overview of all the packages
installed on your machine, and the security coverage that applies to those
packages.
The output of the security-status command varies, depending on the
configuration of the machine you run it on. In this article, we’ll take a look
at the different outputs of security-status and the situations in which
you might see them.
Command output#
If you run the pro security-status command, the first blocks of information
you see look like:
2871 packages installed:
2337 packages from Ubuntu Main/Restricted repository
504 packages from Ubuntu Universe/Multiverse repository
8 packages from third parties
22 packages no longer available for download
To get more information about the packages, run
pro security-status --help
for a list of available options.
Those are counts for the apt packages installed in the system, sorted
between the packages in main, universe, third party packages, and packages
that are no longer available. You will also see a hint to run
pro security-status --help to get more information.
apt update reminder#
To get accurate package information, the apt caches must be up to date. If
your cache was not updated recently, you may see a message in the output with
a reminder to update.
The system apt cache may be outdated. Make sure to run
sudo apt-get update
to get the latest package information from apt.
LTS coverage#
If esm-infra is disabled in your system, main/restricted packages will be
covered during the LTS period - this information is presented right after the
hints. A covered system will present this message:
This machine is receiving security patching for Ubuntu Main/Restricted
repository until <year>.
On a system where the LTS period ended, you’ll see:
This machine is NOT receiving security patches because the LTS period has ended
and esm-infra is not enabled.
Ubuntu Pro coverage#
An Ubuntu Pro subscription provides more security coverage than a standard LTS. The next blocks of information are related to Ubuntu Pro itself:
This machine is attached to an Ubuntu Pro subscription.
Main/Restricted packages are receiving security updates from
Ubuntu Pro with 'esm-infra' enabled until 2032.
Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2032. You have received 21 security
updates.
This system is already attached to Pro! It is a Jammy machine, which has
installed some updates from esm-apps. Running the same command on a Xenial
system without Pro enabled, the output looks like:
This machine is NOT attached to an Ubuntu Pro subscription.
Ubuntu Pro with 'esm-infra' enabled provides security updates for
Main/Restricted packages until 2026. There are 170 pending security updates.
Ubuntu Pro with 'esm-apps' enabled provides security updates for
Universe/Multiverse packages until 2026. There is 1 pending security update.
Try Ubuntu Pro with a free personal subscription on up to 5 machines.
Learn more at https://ubuntu.com/pro
There are lots of esm-infra updates for this machine, and even an
esm-apps update. The hint in the end of the output has a link to the main
Pro website, so the user can learn more about Pro and get their subscription.
Interim releases#
If you are running an interim release, the output is slightly different because there are no Ubuntu Pro services available. You will still see the package counts and support period though - your main/restricted packages are supported for 9 months from the release date.
613 packages installed:
601 packages from Ubuntu Main/Restricted repository
12 packages from Ubuntu Universe/Multiverse repository
To get more information about the packages, run
pro security-status --help
for a list of available options.
Main/Restricted packages receive updates until 1/2024.
Ubuntu Pro is not available for non-LTS releases.
Optional flags for specific package sets#
Some flags can be passed to security-status to get information about
coverage of specific package sets. As an example, let’s look at the output of
pro security-status --esm-infra:
442 packages installed:
441 packages from Ubuntu Main/Restricted repository
Main/Restricted packages are receiving security updates from
Ubuntu Pro with 'esm-infra' enabled until 2026. You have received 3 security
updates. There are 160 pending security updates.
Run 'pro help esm-infra' to learn more
Installed packages with an available esm-infra update:
( ... list of packages ... )
Installed packages with an esm-infra update applied:
( ... list of packages ... )
Further installed packages covered by esm-infra:
( ... list of packages ... )
For example, run:
apt-cache show tcpdump
to learn more about that package.
Besides the support information of main/restricted (which Ubuntu Pro with
esm-infra extends) there are lists of:
Packages with an updated version available in ESM-infra repositories
Packages with a version installed from the ESM-infra repositories
Packages which are covered by ESM-infra
You will see a similar output when running pro security-status --esm-apps,
but with information regarding universe/multiverse packages.
You can also get a list of the third-party packages installed in the system:
$ pro security-status --thirdparty
2871 packages installed:
8 packages from third parties
Packages from third parties are not provided by the official Ubuntu
archive, for example packages from Personal Package Archives in Launchpad.
Packages:
( ... list of packages ... )
For example, run:
apt-cache show <package_name>
to learn more about that package.
And also a list of unavailable packages (which no longer have any installation source):
$ pro security-status --unavailable
2871 packages installed:
22 packages no longer available for download
Packages that are not available for download may be left over from a
previous release of Ubuntu, may have been installed directly from a
.deb file, or are from a source which has been disabled.
Packages:
( ... list of packages ... )
For example, run:
apt-cache show <package_name>
to learn more about that package.
Machine-readable output#
If you run the pro security-status --format yaml command on your machine,
you should expect to see an output that follows this structure:
_schema_version: '0.1'
summary:
num_esm_apps_packages: 0
num_esm_apps_updates: 0
num_esm_infra_packages: 1
num_esm_infra_updates: 1
num_main_packages: 70
num_multiverse_packages: 10
num_restricted_packages: 10
num_third_party_packages: 0
num_universe_packages: 9
num_installed_packages: 100
num_standard_security_updates: 0
ua:
attached: true
enabled_services:
- esm-apps
- esm-infra
entitled_services:
- esm-apps
- esm-infra
packages:
- origin: esm.ubuntu.com
package: zlib1g
service_name: esm-infra
status: upgrade_available
version: 1:1.2.8.dfsg-2ubuntu4.3+esm1
download_size: 123456
livepatch:
fixed_cves:
- Name: cve-2013-1798
Patched: true
Let’s understand what each key means in the output of the
pro security-status --format yaml command:
summary#
This provides a summary of the system related to Ubuntu Pro and the different package sources in the system:
num_installed_packages: The total number of installed packages on the system.
num_esm_apps_packages: The number of packages installed from
esm-apps.num_esm_apps_updates: The number of
esm-appspackage updates available to the system.num_esm_infra_packages: The number of packages installed from
esm-infra.num_esm_infra_updates: The number of
esm-infrapackage updates available to the system.num_main_packages: The number of packages installed from the
mainarchive component.num_multiverse_packages: The number of packages installed from the
multiversearchive component.num_restricted_packages: The number of packages installed from the
restrictedarchive component.num_third_party_packages : The number of packages installed from
third partysources.num_universe_packages: The number of packages installed from the
universearchive component.num_unknown_packages: The number of packages installed from sources not known to
apt(e.g., those installed locally throughdpkgor packages without a remote reference).num_standard_security_updates: The number of standard security updates available to the system.
Note
It is worth mentioning here that the _updates fields are presenting the
number of security updates for installed packages. For example,
let’s assume your machine has a universe package that has a security update
from esm-infra. The count will be displayed as:
num_esm_infra_packages: 0
num_esm_infra_updates: 1
num_universe_packages: 1
After upgrading the system, the count will turn to:
num_esm_infra_packages: 1
num_esm_infra_updates: 0
num_universe_packages: 0
ua: An object representing the state of Ubuntu Pro on the system:
attached: If the system is attached to an Ubuntu Pro subscription.
enabled_services: A list of services that are enabled on the system. If unattached, this will always be an empty list.
entitled_services: A list of services that are entitled on your Ubuntu Pro subscription. If unattached, this will always be an empty list.
packages#
This provides a list of security updates for packages installed on the system. Every entry on the list will follow this structure:
origin: The host where the update comes from.
package: The name of the package.
service_name: The service that provides the package update. It can be one of:
esm-infra,esm-appsorstandard-security.status: The status for this update. It will be one of:
“upgrade_available”: The package can be upgraded right now.
“pending_attach”: The package needs an Ubuntu Pro subscription attached to be upgraded.
“pending_enable”: The machine is attached to an Ubuntu Pro subscription, but the service required to provide the upgrade is not enabled.
“upgrade_unavailable”: The machine is attached, but the contract is not entitled to the service which provides the upgrade.
version: The update version.
download_size: The number of bytes that would be downloaded in order to install the update.
livepatch#
This displays Livepatch-related information. Currently, the only information presented is `fixed_cves`. This represents a list of CVEs that were fixed by Livepatches applied to the kernel.