How to Schedule a Regular Assessment of a System Using Its Default Policy

Language:

Before You Begin

You must be assigned the Compliance Assessor rights profile to schedule assessments that can be added to the assessment store. To run the svccfg, you must be assigned the Service Configuration rights profile. For more information, see Rights to Run the compliance Command and Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

Change the default policy to the correct policy if needed.
1. List the default policy.
```
$ compliance get-policy
Benchmark:      solaris
Profile:        Baseline
Tailoring:
```
2. List the available benchmarks, profiles, and tailorings.
```
$  compliance list -p
pci-dss:        Solaris_PCI-DSS
solaris:        Baseline, Recommended
$  compliance list -t
        basic
        RKerberos
```
  You can also use the compliance tailor list command to list the available tailorings.
3. Set the correct default policy for this system.
  In this example, you assign an existing tailoring as the default policy.
```
$ pfbash ; compliance set-policy -t RKerberos
$ compliance get-policy
Benchmark:
Profile:
Tailoring:    RKerberos
```

Before changing to a new schedule, return the schedule to the default schedule.

$ svccfg -s compliance:default delcust
$ svccfg -s compliance:default listprop scheduled
 scheduled           schedule
 scheduled/frequency integer     1
 scheduled/interval  astring     week

Set the new schedule and list it.
```
$ svccfg -s compliance:default setprop scheduled/property  =  type:   value
$ svccfg -s compliance:default listprop scheduled
scheduled           schedule
scheduled/frequency integer     1
scheduled/interval  astring     week
scheduled/property    type       value
$ svcadm refresh compliance:default
```
Several properties are defined for scheduled services, such as scheduled/hour and scheduled/day_of_week. For examples of these properties, see Example 11, Scheduling the Weekday and Hour of an Assessment and Example 12, Running a Policy Assessment Daily. For more information, see How to Schedule a Periodic or Scheduled Service in Managing System Services in Oracle Solaris 11.3 and the svc.periodicd(1M).
Refresh the service.
```
$ svcadm refresh compliance:default
```

Enable the service if it is not enabled.

$ svcs -x compliance:default
svc:/application/security/compliance:default (Scheduled compliance assessment)
 State: disabled since Fri Jan  8 10:10:10 2016
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: compliance(1M)
   See: /var/svc/log/application-security-compliance:default
Impact: This service is not running.
$ svcadm enable compliance:default
$ svcs compliance:default
STATE          STIME    FMRI
online         10:21:22 svc:/application/security/compliance:default

Verify that the initial run is scheduled.

$ svcs -o lrun,nrun compliance:default
LRUN     NRUN 
         Jan_08

After the initial run, verify that the assessment ran.

$ svcs -o lrun,nrun compliance:default
LRUN     NRUN
02:10:10 Jan_08

(Optional) View the assessment in a browser.

Locate the report.

$ pfexec compliance report
/var/compliance/assessments/solaris/tailoring1/tailoring1.2016-01-03,02:11/report.html

To view the report, type the file location into the browser.

file:///var/compliance/assessments/solaris/tailoring/tailoring.2016-01-03,02:11/report.html

Example 9 Setting the Default Policy to a Benchmark or Profile

This example sets the default policy to the Recommended profile of the solaris benchmark.

$  compliance list -p
pci-dss:        Solaris_PCI-DSS
solaris:        Baseline, Recommended
$ compliance set-policy -b solaris -p Recommended
$ compliance get-policy
Benchmark:      solaris
Profile:        Recommended
Tailoring:

Example 10 Setting the Default Policy to an Installed Tailoring

This example sets the default policy to a tailoring that was installed as a package. This example assumes that RKerberos was installed as a package on this system.

$  compliance set-policy -b solaris -t RKerberos
$ compliance get-policy
Benchmark:    solaris
Profile:      Recommended
Tailoring:    RKerberos

For the contents of the RKerberos tailoring, see Example 5, Creating a Kerberos Tailoring From the Recommended Profile.

Example 11 Scheduling the Weekday and Hour of an Assessment

In this example, the root role adds to the default schedule by specifying the day of the week and the hour that the assessment should run. After refreshing the service, root checks that the new schedule is valid.

$ svccfg -s compliance:default setprop scheduled/day  =  astring:  Sunday
$ svccfg -s compliance:default setprop scheduled/hour  =  integer:  2
$ svccfg -s compliance:default listprop scheduled
scheduled           schedule
scheduled/frequency integer     1
scheduled/interval  astring     week
scheduled/day       astring     Sunday
scheduled/hour      integer     2
$ svcadm refresh compliance:default
$ svcs -x compliance:default
svc:/application/security/compliance:default (Scheduled compliance assessment)
 State: online since Fri Jan 08 11:11:11 2016
 ...

Example 12 Running a Policy Assessment Daily

In this example, the root role changes the assessment to run daily after 2 a.m. After refreshing the service, root checks that the new schedule is in effect.

$ pfbash ; svccfg -s compliance:default setprop scheduled/interval  =  astring:  day
$ svccfg -s compliance:default setprop scheduled/hour  =  integer:  2
$ svcadm refresh compliance:default
$ svccfg -s compliance:default listprop scheduled
scheduled           schedule
scheduled/frequency integer     1
scheduled/interval  astring     day
scheduled/hour      integer     2
$ svcs compliance:default
STATE          STIME    FMRI
online          11:11:11 svc:/application/security/compliance:default
$ svcs -o lrun,nrun compliance:default
LRUN     NRUN
-        Jan_08