1.8 Ensure updates, patches, and additional security software are installed

Information

Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected.

Solution

Use your package manager to update all packages on the system according to site policy. The following command will install all available updates - # yum updateNotes-Site policy may mandate a testing period before install onto production systems for available updates.2 ServicesWhile applying system updates and patches helps correct known vulnerabilities, one of the best ways to protect the system against as yet unreported vulnerabilities is to disable all services that are not required for normal system operation. This prevents the exploitation of vulnerabilities discovered at a later date. If a service is not enabled, it cannot be exploited. The actions in this section of the document provide guidance on some services which can be safely disabled and under which circumstances, greatly reducing the number of possible threats to the resulting system. Additionally some services which should remain enabled but with secure configuration are covered as well as insecure service clients.

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2, CSCv6|4.5

Plugin: Unix

Control ID: 577d4624237eb9b4b84c8afd628661ad91558aa888d8da4785a97371b4bd1624