Category: DSPT Evidence Checklist
Reference: Standard 9: IT Protection
Requirement: Software is kept up to date with security patches
Evidence: Patching schedule or IT supplier confirmation of automatic patching
Platform: gp_booking_app — Multi-tenant GP Booking Platform
Date: 14 May 2026
| Item | Detail |
|---|---|
| Distro | Ubuntu 24.04.4 LTS (Noble) |
| Support Life | Standard Security Maintenance until April 2029 |
| Running Kernel | 6.8.0-107-generic |
| Installed Kernel | 6.8.0-111-generic |
| Last Reboot | 14 April 2026 (30 days uptime) |
| Reboot Required | Yes — kernel updated on 6 May 2026, pending restart |
| Setting | Value | Status |
|---|---|---|
APT::Periodic::Update-Package-Lists |
1 (daily) |
✅ Active |
APT::Periodic::Unattended-Upgrade |
1 (daily) |
✅ Active |
| Security repos enabled | noble-security |
✅ |
| Allowed origins | ${distro_id}:${distro_codename}, ${distro_id}:${distro_codename}-security |
✅ |
| Package blacklist | None | ✅ |
| Last unattended run | 14 May 2026 06:19 | ✅ |
| Container | Image | Age | Status |
|---|---|---|---|
| gp_booking_app | gp_booking_app:latest | Built today | ✅ |
| gp_booking_nginx | nginx:1.25 | 2 years old | ⚠️ v1.27 available |
| keycloak | quay.io/keycloak/keycloak:26.6.1 | 4 weeks | ✅ |
| wikijs | ghcr.io/requarks/wiki:latest | 3 months | ⚠️ Check for newer |
| postgres | postgres:15 | 5 weeks | ✅ |
| forgejo | forgejo:14.0 | 4 weeks | ✅ |
| directus | directus/directus:11.6.1 | 13 months | ⚠️ Very outdated |
| defectdojo | defectdojo/defectdojo-django:latest | 1 week | ✅ |
| redis | redis:7-alpine | 2 months | ✅ |
| Task | Schedule | Tool |
|---|---|---|
| OS security patches | Daily | unattended-upgrades |
| Container vulnerability scan | Weekly (Sat 3am) | Trivy |
| Network vulnerability scan | Weekly (Sun 3am) | Nmap |
| DefectDojo reporting | Weekly | Security scanner scripts |
| Docker image rebuilds | ❌ None | — |
| Patching documentation | ❌ None | — |
| Reboot management | ❌ None | — |
| # | Gap | Severity |
|---|---|---|
| G1 | No documented patching schedule — DSPT requires a formal schedule as evidence | High |
| G2 | No automated Docker image updates — containers stay on old versions indefinitely | High |
| G3 | 14 pending OS updates not applied — includes Docker toolchain updates | Medium |
| G4 | Reboot pending since 6 May — kernel security update not active until reboot | High |
| G5 | No patching evidence log — no record of what was patched, when, or by whom | High |
| G6 | nginx 1.25 is 2 years old — several CVEs patched in later 1.25.x and 1.26/1.27 | Medium |
| G7 | Directus 11.6.1 is 13 months old — multiple security releases since | Medium |
| # | Action | Detail | Priority |
|---|---|---|---|
| I1 | Apply pending updates | apt upgrade for 14 pending packages |
High |
| I2 | Schedule reboot in maintenance window | Activate kernel 6.8.0-111 | High |
| I3 | Rebuild nginx image with 1.27 | Update Dockerfile/image tag | Medium |
| I4 | Rebuild/pull Directus latest | Update to current version | Medium |
| I5 | Pull latest for all Docker images | Refresh wikijs, postgres, redis, etc. | Medium |
| Cadence | Scope | Method | Evidence |
|---|---|---|---|
| Daily | OS security patches | unattended-upgrades (auto) | /var/log/unattended-upgrades/ |
| Weekly | Vulnerability scan | Trivy + Nmap + DefectDojo | DefectDojo dashboard |
| Monthly | Full OS update | apt update && apt upgrade |
AuditLog record + wiki log |
| Monthly | Pending reboot check | ls /var/run/reboot-required |
Scheduled task log |
| Quarterly | Docker image refresh | Pull latest + recreate containers | AuditLog record + wiki log |
| Quarterly | Full patching review | Document all changes | Wiki page update |
Option A: Cron-based (Simple)
A set of cron jobs and scripts will:
apt update && apt upgrade with logging to /var/log/patching/docker pull for all production imagesAuditLog modelOption B: Site Agent (Recommended)
The existing Site Agent (ID 2) at https://gp.veripath.co.uk/integrations/agents/ can be configured to:
A patching log page will be maintained at /tasks/dspt-patching-log with:
Immediate (this week):
Short-term (this month):
4. Set up monthly patching automation (cron or Site Agent)
5. Refresh Docker images (nginx, Directus, Wiki.js, others)
6. Begin maintaining the patching log as DSPT evidence
Ongoing:
7. Monthly patching cycle with documented evidence
8. Quarterly Docker image refresh
9. Annual patching policy review