1.10 Ensure updates, patches, and additional security software are installed

Information

Periodically patches are released for included software either due to security flaws or to include additional functionality.

Notes:

Site policy may mandate a testing period before install onto production systems for available updates.

upgrade - is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list. Packages currently installed with new versions available are retrieved and upgraded; under no circumstances are currently installed packages removed, or packages not already installed retrieved and installed. New versions of currently installed packages that cannot be upgraded without changing the install status of another package will be left at their current version. An update must be performed first so that apt knows that new versions of packages are available.

dist-upgrade - in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt has a 'smart' conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. So, dist-upgrade command may remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.

Rationale:

Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the following command to update all packages following local site policy guidance on applying updates and patches:

# apt upgrade

OR

# apt dist-upgrade

See Also

https://workbench.cisecurity.org/files/2920

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2c., CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 454bc2c2e2d1ce3a7cb772e7484d2e75873ca224737d999304d8f85c25ac51f0