Title

The macOS system must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs). (Cat II impact)

Discussion

Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.

Check Content

Verify security-relevant software updates are installed on the operating system within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs). Click the Apple icon on the menu at the top left corner of the screen. Select the "About This Mac" option. Select the "More Info..." button. Under the macOS section, there are details about the update version. Compare this to the latest available macOS update version. If the installed updates are not the latest and the latest updates have been available for 30 days or more, this is a finding.

Fix Text

Install the latest updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).

Additional Identifiers

Rule ID: SV-268575r1149426_rule

Vulnerability ID: V-268575

Group Title: SRG-OS-000439-GPOS-00195

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.