The mobile operating system must support automated patch management tools to facilitate flaw remediation of all software components on the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33183	SRG-OS-000192-MOS-000104	SV-43581r1_rule		High

Description
The organization (including any contractor to the organization) must promptly install security relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed. Left un-patched, software may be vulnerable to a variety of exploits that could disclose sensitive information or lead to subsequent security breaches. An automated patch management system can mitigate this risk. In the context of this IA control, automation is interpreted broadly and covers patch management systems that involve user acknowledgement of patches or user initiated patches after automatic notification of the availability of a patch. Automation is from the perspective of the commercial mobile device (CMD) user; system administrators may still need to perform several manual steps to prepare patches for distribution and modify CMD configuration to be able to receive patches. However, patch systems that require CMD users to take additional steps beyond a one-step acknowledgment or request for the patch in order to locate, download, install, or verify the patch are not considered automated. Some user involvement in the patch process is a defense-in-depth measure to protect CMD and DoD networks. In particular, it mitigates the risk of carrier-initiated patches that have been known to include malware. Mobile device management (MDM) systems also mitigate the risk of un-patched CMD. If a user does not install a required patch for whatever reason, the MDM system may deny the CMD access to DoD networks and, when the risk warrants it, remotely disable the device.

Description

The organization (including any contractor to the organization) must promptly install security relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed. Left un-patched, software may be vulnerable to a variety of exploits that could disclose sensitive information or lead to subsequent security breaches. An automated patch management system can mitigate this risk. In the context of this IA control, automation is interpreted broadly and covers patch management systems that involve user acknowledgement of patches or user initiated patches after automatic notification of the availability of a patch. Automation is from the perspective of the commercial mobile device (CMD) user; system administrators may still need to perform several manual steps to prepare patches for distribution and modify CMD configuration to be able to receive patches. However, patch systems that require CMD users to take additional steps beyond a one-step acknowledgment or request for the patch in order to locate, download, install, or verify the patch are not considered automated. Some user involvement in the patch process is a defense-in-depth measure to protect CMD and DoD networks. In particular, it mitigates the risk of carrier-initiated patches that have been known to include malware. Mobile device management (MDM) systems also mitigate the risk of un-patched CMD. If a user does not install a required patch for whatever reason, the MDM system may deny the CMD access to DoD networks and, when the risk warrants it, remotely disable the device.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41444r3_chk )
Verify the mobile operating system supports automated patch management tools to facilitate flaw remediation of all software components on the device. Identify which elements of the system are automated and which require human intervention. Verify installation of a patch does not require the user to do more than acknowledge the patch or request the patch after receiving a notification of its availability. Some patches may require the user to restart the system to complete installation of the patch, but the patch system may still be considered automated in this case. The patch system may also be considered automated if patches are distributed on removable media used to load the operating system so long as this is the routine established method for loading the operating system and applications, patches cannot be installed through other means, and the user is not required to perform additional steps beyond user authentication and acceptance of the updates. If the mobile operating system does not support automated patching of all software components on the device, or does not support patching at all, this is a finding.

Check Text ( C-41444r3_chk )

Verify the mobile operating system supports automated patch management tools to facilitate flaw remediation of all software components on the device. Identify which elements of the system are automated and which require human intervention.

Verify installation of a patch does not require the user to do more than acknowledge the patch or request the patch after receiving a notification of its availability. Some patches may require the user to restart the system to complete installation of the patch, but the patch system may still be considered automated in this case. The patch system may also be considered automated if patches are distributed on removable media used to load the operating system so long as this is the routine established method for loading the operating system and applications, patches cannot be installed through other means, and the user is not required to perform additional steps beyond user authentication and acceptance of the updates.

If the mobile operating system does not support automated patching of all software components on the device, or does not support patching at all, this is a finding.

Fix Text (F-37084r2_fix)
Implement automated patch management tools on the mobile operating system to facilitate flaw remediation of all software components on the device.