Details
Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights.
http://www.thesafemac.com/tag/xprotect/
https://support.apple.com/en-us/HT202491
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited
Impact:
Unpatched software may be exploited
Solution
Perform the following to implement the prescribed state:
Open a terminal session and enter the following command to enable install system data files and security updates:
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.