How to manage CC EAL#

Common Criteria is supported only on Ubuntu 16.04 (Xenial) and 18.04 (Bionic). This means that CC EAL2 can be enabled on both Xenial and Bionic LTS releases, but the installed scripts that configure CC EAL2 on those machines will only run on Xenial 16.04.4 and Bionic 18.04.4 point releases.

Make sure pro is up-to-date#

All systems come with pro pre-installed through the ubuntu-advantage-tools package. To make sure that you’re running the latest version of pro, run the following commands:

sudo apt update && sudo apt install ubuntu-advantage-tools

Check the status of the services#

After you have attached your subscription and updated the ubuntu-advantage-tools package, you can check which services are enabled by running the following command:

pro status

This will show you which services are enabled or disabled on your machine (output truncated for brevity):

esm-apps         yes       enabled   Expanded Security Maintenance for Applications
esm-infra        yes       enabled   Expanded Security Maintenance for Infrastructure
livepatch        yes       enabled   Canonical Livepatch service
realtime-kernel  yes       disabled  Ubuntu kernel with PREEMPT_RT patches integrated

Enable and auto-install#

To enable CC EAL2 using the Ubuntu Pro Client, run the following command:

$ sudo pro enable cc-eal

You should see output like this:

Updating package lists
(This will download more than 500MB of packages, so may take some time.)
Installing CC EAL2 packages
CC EAL2 enabled
Please follow instructions in /usr/share/doc/ubuntu-commoncriteria/README to configure EAL2

This indicates that the CC EAL2 package has been successfully installed.

Enable and manually install#


The --access-only flag was introduced in Pro Client version 27.11.

If you would like to enable access to the CC EAL2 apt repository but not install the packages immediately, use the --access-only flag while enabling:

$ sudo pro enable cc-eal --access-only

With that extra flag you’ll see output like the following:

One moment, checking your subscription first
Updating package lists
Skipping installing packages: ubuntu-commoncriteria
CC EAL2 access enabled

To install the packages at a later time, you can then run:

$ sudo apt install ubuntu-commoncriteria

Disable the service#

If you wish to disable cc-eal, you can use the following command:

sudo pro disable cc-eal

Note that this command will only remove the APT source, but not uninstall any of the packages installed with the service.

To purge the service, removing the APT packages installed with it, see how to disable and purge services. This will not remove any configuration, but will remove the packages.