1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
documentation_complete: true
title: 'Configure dnf-automatic to Install Available Updates Automatically'
description: |-
To ensure that the packages comprising the available updates will be automatically installed by <tt>dnf-automatic</tt>, set <tt>apply_updates</tt> to <tt>yes</tt> under <tt>[commands]</tt> section in <tt>/etc/dnf/automatic.conf</tt>.
rationale: |-
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner.
severity: medium
identifiers:
cce@rhel8: CCE-82494-6
cce@rhel9: CCE-83456-4
cce@rhel10: CCE-86671-5
cce@sle12: CCE-91474-7
cce@sle15: CCE-91165-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
nist: SI-2(5),CM-6(a),SI-2(c)
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000805-GPOS-00260
platform: not bootc
ocil_clause: 'apply_updates is not set to yes'
ocil: |-
To verify that packages comprising the available updates will be automatically installed by dnf-automatic, run the following command:
<pre>$ sudo grep apply_updates /etc/dnf/automatic.conf</pre>
The output should return the following:
<pre>apply_updates = yes</pre>
|
