← Rules Catalog
mediumsystemverified

Ensure updates, patches, and additional security software are installed

security-updates-installed · RHEL ≥ 8 · 1 impl

Description

Available vendor updates and security patches should be applied. This rule flags when the package manager reports pending updates.

Rationale

Unapplied updates leave known vulnerabilities exploitable. Keeping the system current is a primary defense against publicly known CVEs.

Check → Remediate

Checkcommand
# dnf check-update exits 100 when updates are available, 0 when none.
if dnf -q check-update >/dev/null 2>&1; then
  echo "OK: no pending updates"
  exit 0
fi
rc=$?
if [ "$rc" -eq 100 ]; then echo "FAIL: package updates are pending"; exit 1; fi
echo "OK: update check completed (rc=$rc)"
exit 0
expected_exit:
0
Remediatemanual
note:
Review pending updates with `dnf check-update` and apply approved updates with `dnf update` on your change-controlled schedule.

Framework references

CIS

rhel9 1.2.2.1rhel8 1.2.2.1rhel10 1.2.2.1

STIG

V-257778 / RHEL-09-211015V-230222 / RHEL-08-010010

NIST 800-53

SI-2

Live verification

rhel9:check
#patching#updates#vulnerability-management