๐ ๏ธ Section 17: Patch & Vulnerability Management
๐ฏ Objective
This section outlines the procedures, tooling, and schedules for maintaining patched and secure software , container images, and infrastructure configurations in the OpenCMMC Stack. It supports compliance with CMMC Level 2 practices in the System & Information Integrity (SI) , Configuration Management (CM) , and Risk Assessment (RA) domains.
๐ Continuous Patching Strategy
1. Host-Level Patching
Component
Method
Schedule
Ubuntu OS
apt update && apt upgrade via AnsibleWeekly (auto), Monthly (manual)
Kernel/critical CVEs
unattended-upgrades + CVE trackingDaily
System hardening validation
Ansible diff or compliance check
Monthly
2. Container Image Refresh
Component
Source
Validation
Podman images
podman pull <image>Digest verification
Image integrity
skopeo inspect + SBOM checkgrype, trivy
Drift detection
ansible-playbook dry-runWeekly
Tool
Target
Purpose
grypeLocal containers, images
SBOM and CVE scans
trivyContainer registry, file systems
Vulnerability + secret scan
clamavFile uploads in Nextcloud
Malware detection
ansible-lintIaC playbook scan
Misconfig checks
๐ Patch Lifecycle Automation (Ansible)
Role: roles/patching
Features:
OS package updates
Container image digests refresh
Service restarts for updated dependencies
Backup validation prior to changes
Summary report email
๐งช Verification Checklist
Check
Method
Evidence
CVE reports resolved
grype, trivyJSON scan reports
Kernel patches current
uname -r, aptCLI output
Image digests match SBOM
skopeo inspectDiff report
No critical unpatched packages
apt list --upgradableCLI export
Patch playbook log exists
ansible-playbook logLog file
๐
Recommended Patch Schedule
Frequency
Tasks
Daily
Security CVE polling, unattended upgrades
Weekly
OS & container image patch via Ansible
Monthly
Restore test, SBOM scan, role diff
Quarterly
Full stack rebuild in staging
๐ CMMC Practices Addressed
Practice
Description
SI.1.210
Identify and manage system flaws
SI.2.214
Update and patch system vulnerabilities
CM.2.067
Monitor system configuration for change
RA.2.144
Scan for vulnerabilities
โ
Next Step
In Section 18, weโll define the incident response and forensics capabilities to prepare for breach scenarios and ensure auditability.