1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
documentation_complete: true
title: 'Configure dnf-automatic to Install Only Security Updates'
description: |-
To configure <tt>dnf-automatic</tt> to install only security updates
automatically, set <tt>upgrade_type</tt> to <tt>security</tt> under
<tt>[commands]</tt> section in <tt>/etc/dnf/automatic.conf</tt>.
rationale: |-
By default, <tt>dnf-automatic</tt> installs all available updates.
Reducing the amount of updated packages only to updates that were
issued as a part of a security advisory increases the system stability.
severity: low
identifiers:
cce@rhel8: CCE-82267-6
cce@rhel9: CCE-83461-4
cce@rhel10: CCE-87469-3
cce@sle12: CCE-91478-8
cce@sle15: CCE-91166-9
references:
nist: SI-2(5),CM-6(a),SI-2(c)
srg: SRG-OS-000191-GPOS-00080
platform: not bootc
ocil_clause: 'the upgrade_type is not set to security'
ocil: |-
To verify that only security updates will be automatically installed by dnf-automatic, run the following command:
<pre>$ sudo grep upgrade_type /etc/dnf/automatic.conf</pre>
The output should return the following:
<pre>upgrade_type = security</pre>
|
