The following action Bash script works on Linux:
yum -y install yum-plugin-versionlock
yum versionlock <Package(s)>
if [ $? -eq 0 ]
<command(s) to be done like: yum -y update>
1 - It makes sure that version lock is installed
2 - It makes sure that the package(s) to be locked are
3 - if the lock fails, update will not take place and provides an error exit
4 - Post actions will not take place if error exit occurs
5 - If lock succeeds Command(s) executed with a successful exit
6 - if 5, any post actions listed will be done.
Further, if you wanted a reboot no matter of success or failure, then you can force an exit 0.
However, if a BASELINE is used, then everything seems to be out the window.
Have not tested if BigFix will apply package updates if yum is configured to not update a package.