800-53|SI-2

Title

FLAW REMEDIATION

Description

The organization:

Supplemental

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

Reference Item Details

Related: CA-2,CA-7,CM-3,CM-5,CM-8,IR-4,MA-2,RA-5,SA-10,SA-11,SI-11

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 (L1) Ensure ESXi is properly patchedVMwareCIS VMware ESXi 7.0 v1.4.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 13.0 Ventura v2.1.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
1.1 Ensure ESXi is properly patchedVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
1.1 Install Updates, Patches and Additional Security SoftwareUnixCIS Debian Linux 7 L1 v1.0.0
1.1 Use the Latest Package UpdatesUnixCIS Oracle Solaris 11.4 L1 v1.1.0
1.1 Verify all Apple-provided software is currentUnixCIS Apple macOS 10.14 v2.0.0 L1
1.1.1 Install Available UpdatesIBM_DB2DBCIS IBM DB2 11 v1.1.0 Database Level 1
1.1.5.1 Ensure 'Enable Automatic Updates' is set to 'Enabled'WindowsCIS Microsoft Office Enterprise v1.2.0 L1
1.1.5.2 Ensure 'Hide option to enable or disable updates' is set to 'Enabled'WindowsCIS Microsoft Office Enterprise v1.2.0 L1
1.2 Enable Auto UpdateUnixCIS Apple macOS 10.12 L1 v1.2.0
1.2 Enable Auto UpdateUnixCIS Apple macOS 10.13 L1 v1.1.0
1.2 Enable Auto UpdateUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
1.2 Enable Auto UpdateUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
1.2 Enable Auto Update ChecksUnixCIS Apple OSX 10.9 L1 v1.3.0
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 13.0 Ventura v2.1.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.0.0 L1
1.2.1 Ensure GPG keys are configuredUnixCIS Fedora 28 Family Linux Server L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS AlmaLinux OS 8 Workstation L1 v3.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat EL8 Workstation L1 v3.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 12 v3.1.0 L1 Server
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 12 v3.1.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS Rocky Linux 8 Server L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Fedora 28 Family Linux Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS AlmaLinux OS 8 Server L1 v3.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Amazon Linux 2 v3.0.0 L1
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS Linux 7 v4.0.0 L1 Server
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 7 v4.0.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS Rocky Linux 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 7 v4.0.0 L1 Server
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.14 Ensure 'DNS interception checks enabled' is set to 'Enabled'WindowsCIS Google Chrome L1 v3.0.0
1.15 Ensure 'Enable component updates in Google Chrome' is set to 'Enabled'WindowsCIS Google Chrome L1 v3.0.0
1.117 (L1) Ensure 'Notify a user that a browser restart is recommended or required for pending updates' is set to 'Enabled: Required - Show a recurring prompt to the user indicating that a restart is required'WindowsCIS Microsoft Edge v3.0.0 L1
1.120 (L1) Ensure 'Set the time period for update notifications' is set to 'Enabled: 86400000'WindowsCIS Microsoft Edge v3.0.0 L1