PCI DSS 3.2 Requirement 6: Develop and Maintain Secure Systems and Applications

6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:

• That applicable critical vendor-supplied security patches are installed within one month of release.

• All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).

The Vulnerability Scan in USM Appliance can inventory patches and report those that are missing.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

• Family: Windows
• Family: AIX Local Security Checks
• Family: Amazon Linux Local Security Checks
• Family: CentOS Local Security Checks
• Family: Citrix Xenserver Local Security Checks
• Family: Debian Local Security Checks
• Family: Fedora Local Security Checks
• Family: FortiOS Local Security Checks
• Family: Free BSD Local Security Checks
• Family: Gentoo Local Security Checks
• Family: HP-UX Local Security Checks
• Family: JunOS Local Security Checks
• Family: Mac OSX Local Security Checks
• Family: Mandrake Local Security Checks
• Family: RedHat Local Security Checks
• Family: Solaris Local Security Checks
• Family: SuSE Local Security Checks
• Family: Ubuntu Local Security Checks
• Family: VMware Local Security Checks

Export successful scan results and identify findings to determine if system is configured correctly.

Run a Vulnerability Scan using the custom scan profile that was created.