800-53|SI-2(5)

Title

AUTOMATIC SOFTWARE / FIRMWARE UPDATES

Description

The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].

Supplemental

Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: FLAW REMEDIATION

Family: SYSTEM AND INFORMATION INTEGRITY

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2 Enable Auto Update	Unix	CIS Apple macOS 10.12 L1 v1.2.0
1.2 Enable Auto Update	Unix	CIS Apple OSX 10.10 Yosemite L1 v1.2.0
1.2 Enable Auto Update	Unix	CIS Apple OSX 10.11 El Capitan L1 v1.1.0
1.2 Enable Auto Update	Unix	CIS Apple macOS 10.13 L1 v1.1.0
1.2 Enable Auto Update Checks	Unix	CIS Apple OSX 10.9 L1 v1.3.0
1.2.4.7.2 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.7.4 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.7.5 Set 'Configure Automatic Updates' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.7.7 Set 'Scheduled install day' to '0 - Every day'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.7.8 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.7.9 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.3 Enable app update installs	Unix	CIS Apple OSX 10.9 L1 v1.3.0
1.3 Enable app update installs	Unix	CIS Apple OSX 10.11 El Capitan L1 v1.1.0
1.3 Enable app update installs	Unix	CIS Apple OSX 10.10 Yosemite L1 v1.2.0
1.3 Enable app update installs	Unix	CIS Apple macOS 10.13 L1 v1.1.0
1.3 Enable app update installs	Unix	CIS Apple macOS 10.12 L1 v1.2.0
1.4 Enable system data files and security update installs - 'ConfigDataInstall'	Unix	CIS Apple OSX 10.11 El Capitan L1 v1.1.0
1.4 Enable system data files and security update installs - 'ConfigDataInstall'	Unix	CIS Apple macOS 10.12 L1 v1.2.0
1.4 Enable system data files and security update installs - 'ConfigDataInstall'	Unix	CIS Apple OSX 10.10 Yosemite L1 v1.2.0
1.4 Enable system data files and security update installs - 'CriticalUpdateInstall'	Unix	CIS Apple macOS 10.12 L1 v1.2.0
1.4 Enable system data files and security update installs - 'CriticalUpdateInstall'	Unix	CIS Apple OSX 10.10 Yosemite L1 v1.2.0
1.4 Enable system data files and security update installs - 'CriticalUpdateInstall'	Unix	CIS Apple OSX 10.11 El Capitan L1 v1.1.0
1.4 Enable system data files and security update installs - ConfigDataInstall	Unix	CIS Apple OSX 10.9 L1 v1.3.0
1.4 Enable system data files and security update installs - CriticalUpdateInstall	Unix	CIS Apple OSX 10.9 L1 v1.3.0
1.4 Enable system data files and security updates install - 'ConfigDataInstall'	Unix	CIS Apple macOS 10.13 L1 v1.1.0
1.4 Enable system data files and security updates install - 'CriticalUpdateInstall'	Unix	CIS Apple macOS 10.13 L1 v1.1.0
1.5 Enable macOS update installs	Unix	CIS Apple macOS 10.12 L1 v1.2.0
1.5 Enable macOS update installs	Unix	CIS Apple macOS 10.13 L1 v1.1.0
1.5 Enable OS X update installs	Unix	CIS Apple OSX 10.11 El Capitan L1 v1.1.0
1.5 Enable OS X update installs	Unix	CIS Apple OSX 10.10 Yosemite L1 v1.2.0
1.6.1 Ensure 'Verify Update Server Identity' is enabled	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.6.1 Ensure 'Verify Update Server Identity' is enabled	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.1 Enable Automatic Updates - app.update.auto	Windows	CIS Mozilla Firefox 38 ESR Windows L1 v1.0.0
2.1 Enable Automatic Updates - app.update.enabled	Windows	CIS Mozilla Firefox 38 ESR Windows L1 v1.0.0
2.4 Set Update Interval Time Checks	Unix	CIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
2.4 Set Update Interval Time Checks	Windows	CIS Mozilla Firefox 38 ESR Windows L1 v1.0.0
3.6 Ensure Relational Database Service Instances have Auto Minor Version Upgrade Enabled	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
4.1 Configure 'Automatically check for Internet Explorer updates'	Windows	CIS IE 9 v1.0.0
18.9.102.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.102.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.102.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.102.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.102.4 Ensure 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.102.4 Ensure 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.102.5 Ensure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.102.5 Ensure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.102.6 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.102.6 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.102.7 Ensure 'Reschedule Automatic Updates scheduled installations' is set to 'Enabled: 1 minute'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.102.7 Ensure 'Reschedule Automatic Updates scheduled installations' is set to 'Enabled: 1 minute'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0

Detections

Analytics