{"description": "To configure <tt>dnf-automatic</tt> to install only security updates\nautomatically, set <tt>upgrade_type</tt> to <tt>security</tt> under\n<tt>[commands]</tt> section in <tt>/etc/dnf/automatic.conf</tt>.", "rationale": "By default, <tt>dnf-automatic</tt> installs all available updates.\nReducing the amount of updated packages only to updates that were\nissued as a part of a security advisory increases the system stability.", "severity": "low", "references": {"nist": ["SI-2(5)", "CM-6(a)", "SI-2(c)"], "srg": ["SRG-OS-000191-GPOS-00080"], "anssi": ["R61"], "ism": ["1493"]}, "control_references": {"anssi": ["R61"], "ism": ["1493"]}, "components": [], "identifiers": {}, "ocil_clause": "the upgrade_type is not set to security", "ocil": "To verify that only security updates will be automatically installed by dnf-automatic, run the following command:\n<pre>$ sudo grep upgrade_type /etc/dnf/automatic.conf</pre>\nThe output should return the following:\n<pre>upgrade_type = security</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "not bootc and not container", "platforms": ["not bootc and not container"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["not_container_and_not_bootc"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure dnf-automatic to Install Only Security Updates", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml", "template": null}