1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled - 'CriticalUpdateInstall'

Information

Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights.

http://www.thesafemac.com/tag/xprotect/

https://support.apple.com/en-us/HT202491

Rationale:

Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.

Impact:

Unpatched software may be exploited.

Solution

Perform the following to enable system data files and security updates to install automatically:
Graphical Method:

Open System Preferences

Select Software Updates

Select Advanced

Select Install system data files and security updates

Terminal Method:
Run the following commands to enable automatically checking of system data files and security updates:

$ sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true

$ sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true

Profile Method:

Create or edit a configuration profile with the PayLoadType of com.apple.SoftwareUpdate

Add the key ConfigDataInstall

Set the key to <true/>

Add the key CriticalUpdateInstall

Set the key to <true/>

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|RA-5(2), 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 830724994db2a9c085d503974e64f1f5cfcf62aa6b430d3c99fb32e71eb9f5c5