diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
index bd1f456bcd..9f01dffed7 100644
--- a/molecule/testinfra/common/test_system_hardening.py
+++ b/molecule/testinfra/common/test_system_hardening.py
@@ -180,3 +180,11 @@ def test_snapd_absent(host):
     assert not host.file("/etc/apparmor.d/usr.lib.snapd.snap-confine.real").exists
     assert not host.file("/usr/bin/snap").exists
     assert not host.file("/var/lib/snapd/snaps").exists
+
+
+def test_ubuntu_pro_disabled(host):
+    with host.sudo():
+        cmd = host.run("systemctl status esm-cache")
+        assert "Loaded: masked" in cmd.stdout
+        cmd = host.run("systemctl is-enabled ua-timer.timer")
+        assert cmd.stdout.strip() == "disabled"
diff --git a/securedrop/debian/securedrop-config.postinst b/securedrop/debian/securedrop-config.postinst
index eb5a4c7564..4e3086d5f8 100755
--- a/securedrop/debian/securedrop-config.postinst
+++ b/securedrop/debian/securedrop-config.postinst
@@ -22,6 +22,9 @@ case "$1" in
 
     # Disable fwupd-refresh (#6204)
     systemctl is-enabled fwupd-refresh.timer && systemctl disable fwupd-refresh.timer
+    # And disable Ubuntu Pro's ua-timer and esm-cache (#6773)
+    systemctl is-enabled ua-timer.timer && systemctl disable ua-timer.timer
+    systemctl mask esm-cache
 
     ;;
     abort-upgrade|abort-remove|abort-deconfigure)