Go to main content

Oracle® Solaris 11.3 Security Compliance Guide

Exit Print View

Updated: March 2018
 
 

How to Create a Tailoring From a Compliance Benchmark

Before You Begin

You must be assigned the Compliance Assessor rights profile to create a tailoring that can be added to the system store. For more information, see Rights to Run the compliance Command and Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Open the compliance editor.

    The following command sets options on the command line and opens the pick screen.

    $ pfexec compliance tailor -t basic
    *** compliance tailor: Can't get existing tailor "basic", initializing
    tailoring:basic> set benchmark=solaris
    tailoring:basic> exclude -a
    tailoring:basic> pick

      where

    • basic is the name of the tailoring

    • solaris is the source benchmark

    • exclude -a loads the solaris benchmark with none of the rules included

    • pick opens the pick screen

    The pick screen displays all of the rules in the solaris benchmark. None of them are included.

  2. On the pick screen, use the keyboard to include particular rules, exclude rules, and navigate.
    • The spacebar toggles between including and excluding an entry.

    • An x indicates an excluded rule.

    • A greater-than symbol (>) in reverse video indicates an included rule. No x is a second indication that the rule is included.

    • An exit or ESC returns you to the compliance tailor command line in interactive mode.

  3. Include a few basic rules.

    For example, you might include the rules OSC-53005, OSC-16005, OSC-35000, OSC-46014, OSC-01511, OSC-04511, and OSC-75511.

  4. Commit your changes then exit the command-line interface.
    tailoring:basic> commit
    tailoring:basic> exit
    $

    Tailorings that you create with the compliance tailor declare the benchmark and profile inside them.

  5. (Optional) Verify that the tailoring is in stable storage.
    $ pfexec compliance tailor list
    basic
  6. Test the tailoring and evaluate the output.
    $ pfexec compliance assess -t basic
    Assessment will be named 'basic.2015-10-10,10:10'
    Title   The OS version is correct
    Rule    OSC-53005
    Result  pass
    ...
    Title   Stacks are non-executable
    Rule    OSC-75511
    Result  pass
  7. (Optional) Display the assessment report in a browser.
    1. Locate the assessment.
      # compliance report
      /var/share/compliance/assessments/basic.2015-10-10,10:10/report.html
    2. Load the assessment into the browser.

      The following example shows a sample browser entry:

      file:///var/share/compliance/assessments/basic.2015-10-10,10:10/report.html
Example 3  Loading a Different Tailoring

In this example, the administrator loads tailorings that are stored but not in current use.

$ pfexec compliance tailor
tailoring>list
basic
firsttest
testg
tailoring>load firsttest
tailoring:firsttest>info
    tailoring=firsttest
    benchmark=solaris
    profile: not set
tailoring:firsttest>load testg
tailoring:testg>