800-53|SI-2

Title

FLAW REMEDIATION

Description

The organization:

Supplemental

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

Reference Item Details

Related: CA-2,CA-7,CM-3,CM-5,CM-8,IR-4,MA-2,RA-5,SA-10,SA-11,SI-11

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 10.15 v2.1.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 11 v2.1.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 12.0 Monterey v1.1.0 L1
1.1 Ensure ESXi is properly patchedVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
1.1 Ensure ESXi is properly patchedVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
1.1 Install Updates, Patches and Additional Security SoftwareUnixCIS Debian Linux 7 L1 v1.0.0
1.1 Keep ESXi system properly patchedVMwareCIS VMware ESXi 5.5 v1.2.0 Level 1
1.1 Keep ESXi system properly patchedVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
1.1 Verify all Apple-provided software is currentUnixCIS Apple macOS 10.14 v2.0.0 L1
1.2 Enable Auto UpdateUnixCIS Apple macOS 10.12 L1 v1.2.0
1.2 Enable Auto UpdateUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
1.2 Enable Auto UpdateUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
1.2 Enable Auto UpdateUnixCIS Apple macOS 10.13 L1 v1.1.0
1.2 Enable Auto Update ChecksUnixCIS Apple OSX 10.9 L1 v1.3.0
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 10.15 v2.1.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 11 v2.1.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 12.0 Monterey v1.1.0 L1
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise Workstation 12 L1 v3.1.0
1.2.1 Ensure GPG keys are configuredUnixCIS Amazon Linux 2 v2.0.0 L1
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 7 Server L1 v3.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS Rocky Linux 8 Workstation L1 v1.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS 7 v3.1.2 Server L1
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS 7 v3.1.2 Workstation L1
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat EL7 Server L1 v3.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat EL7 Workstation L1 v3.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS AlmaLinux OS 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 7 Workstation L1 v3.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS Rocky Linux 8 Server L1 v1.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS AlmaLinux OS 8 Server L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 15 Server L1 v1.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise Server 12 L1 v3.1.0
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 8 Server L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configured - gpgkeyUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configured - gpgkeyUnixCIS CentOS Linux 8 Server L1 v2.0.0
1.2.1 Ensure GPG keys are configured - show rpm keysUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configured - show rpm keysUnixCIS CentOS Linux 8 Server L1 v2.0.0
1.2.1 Ensure package manager repositories are configuredUnixCIS Amazon Linux v2.1.0 L1
1.2.1 Ensure package manager repositories are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.2.1 Ensure package manager repositories are configuredUnixCIS Debian 8 Workstation L1 v2.0.2
1.2.1 Ensure package manager repositories are configuredUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.2.1 Ensure package manager repositories are configuredUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.2.1 Ensure package manager repositories are configuredUnixCIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.2.1 Ensure package manager repositories are configuredUnixCIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.2.1 Ensure package manager repositories are configuredUnixCIS Debian 8 Server L1 v2.0.2
1.15 Ensure 'Enable component updates in Google Chrome' is set to 'Enabled'WindowsCIS Google Chrome L1 v2.1.0