mediumsystemverified ✓
Ensure updates, patches, and additional security software are installed
security-updates-installed · RHEL ≥ 8 · 1 impl
Description
Available vendor updates and security patches should be applied. This rule flags when the package manager reports pending updates.
Rationale
Unapplied updates leave known vulnerabilities exploitable. Keeping the system current is a primary defense against publicly known CVEs.
Check → Remediate
Checkcommand
# dnf check-update exits 100 when updates are available, 0 when none. if dnf -q check-update >/dev/null 2>&1; then echo "OK: no pending updates" exit 0 fi rc=$? if [ "$rc" -eq 100 ]; then echo "FAIL: package updates are pending"; exit 1; fi echo "OK: update check completed (rc=$rc)" exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Review pending updates with `dnf check-update` and apply approved updates with `dnf update` on your change-controlled schedule.
Framework references
CIS
rhel9 1.2.2.1rhel8 1.2.2.1rhel10 1.2.2.1
STIG
V-257778 / RHEL-09-211015V-230222 / RHEL-08-010010
NIST 800-53
SI-2
Live verification
rhel9:check
#patching#updates#vulnerability-management