Ensure Software Patches Installed

An XCCDF Rule

Description

If the system is joined to the ULN or a yum server, run the following command to install updates:

$ sudo yum update

If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the ULN and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.

warning alert: Warning

The OVAL feed of Oracle Linux 8 is not a XML file, which may not be understood by all scanners.

Rationale

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.

ID: xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Severity: Medium
References: BP28(R08)

18 20 4

5.10.4.1

APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02

CCI-000366 CCI-001227

4.2.3 4.2.3.12 4.2.3.7 4.2.3.9

A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3

CM-6(a) SI-2(5) SI-2(c)

ID.RA-1 PR.IP-12

FMT_MOF_EXT.1

Req-6.2

6.3.3

SRG-OS-000480-GPOS-00227

OL08-00-010010

SV-248523r779135_rule
Updated: about 1 year ago



yum -y update

- name: Security patches are up to date
  package:
    name: '*'
    state: latest
  tags:
  - CJIS-5.10.4.1  - DISA-STIG-OL08-00-010010
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-2(5)
  - NIST-800-53-SI-2(c)
  - PCI-DSS-Req-6.2
  - PCI-DSSv4-6.3.3
  - high_disruption
  - low_complexity
  - medium_severity
  - patch_strategy
  - reboot_required
  - security_patches_up_to_date
  - skip_ansible_lint

Ensure Software Patches Installed

Description

Rationale

Remediation - Shell Script

Remediation - Ansible