compliance list [-v] [-p]
compliance list -b [-v] [-p] [benchmark ...]
compliance list -a [-v] [assessment ...]
compliance assess [-p profile] [ -b benchmark] [ -a assessment]
compliance report [-f format] [-s what ] [ -a assessment] [-o pathname]
compliance delete assessment
The compliance program administers security compliance policies. The program has four commands: list, assess, report, and delete.
The compliance program produces security assessments and reports using benchmarks and profiles. An assessment is an evaluation of the security configuration of a system, conducted against a benchmark. A benchmark is a programmatically-interpretable specification of acceptable ranges of the security parameters of a system. A profile is a tailoring of a benchmark; the set of profiles is specified as part of the benchmark. A report is a form of the results of conducting an assessment.
The list command lists information about the installed named benchmarks and the conducted assessments. By default, the benchmarks and assessments are listed one per line. If the –v option is specificed, additional descriptive information about each of the policies or assessments is included in the output. The –b option restricts the information to benchmarks, while the –a option restricts the information to assessments. If the –p option is specified, the profiles for each benchmark are listed. The –a option cannot be specified with either the –b or –p option. If the benchmark parameter is present, the information is restricted to the matching benchmark. If the assessment parameter is present, the information is restricted to the matching assessment.
The assess command tests the current system configuration against a benchmark and creates a results repository. The –b option can be used to specify the benchmark; if not specified the value defaults to solaris. The benchmark argument can be either an installed named benchmark or the absolute pathname of a benchmark in XCCDF (Extensible Configuration Checklist Description Format). The assessment can be limited to the named profile by the use of the –p option; if not specified the value defaults to the first profile, if any, defined by the benchmark. The –a option can be used to specify the name of the assessment repository; if not specified the value defaults to one based the parameters of the assessment and when it was conducted. The user must have all zone privileges and the solaris.compliance.assess authorization to conduct assessments; a user assigned the Compliance Assessor rights profile has the rights to conduct assessments.
The report command provides the location of a report in the desired format for an assessment, generating the required format report if necessary. The –a option can be used to specify the name of the assessment repository; if not specified the value defaults to the most recently conducted assessment. If the –o option is not specified, the report is located in the assessment storage; a user assigned either the Compliance Reporter or Compliance Assessor rights profile has the rights to generate such reports. If the –o option is specified, the report is located at the pathname. The format of the compliance report can be selected by the –f option. Format options include log, xccdf, and html. The default is html format.
For reports in the html format, the –s option can be used to select which result types should appear in the report. By default, all result types appear in the report except notselected or notapplicable. The what operand is a comma separated list of result types to display in addition to the default. Individual results types can be suppressed by preceding them with a -, while starting the what list with an = specifies exactly which result types should be included. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, or fail.
The delete command removes the results repository for the specified assessment, including all associated reports.
The following exit values are returned:
The assess command may return this value indicating success of the command but incompliance of the assessed system.
The compliance command is delivered with a vendor-defined benchmark named solaris. The profiles of this benchmark are specified as thresholds, so that systems with more secure settings of individual configuration parameters can pass the profile. The solaris benchmark includes a Baseline profile corresponding to the default security configuration settings of a freshly-installed Oracle Solaris instance, and a Recommended profile corresponding to the vendor-recommended configuration for those systems where compatibilty with prior versions of Oracle Solaris is not a constraint.
The following example shows how to display the installed named benchmarks on the system:
% compliance list -bv cis.v1.0 CIS Solaris 11 Security Benchmark, v1.0.0 pci.v2.0 Payment Card Industry Data Security Standard, v2.0 solaris Solaris Security PolicyExample 2 Displaying the Profiles for the Solaris Benchmark
The following example shows how to display the profiles for the solaris benchmark:
% compliance list -bp solaris solaris: Baseline RecommendedExample 3 Assessing of the System by Using the Recommended Profile for the Solaris Benchmark
The following example shows how to take an assessement of the system by using the recommended profile for the Solaris benchmark, and store the results in the CHECK repository:
% compliance assess -p Recommended -b solaris -a CHECKExample 4 Generating a Report Which Includes the Items of the notselected Result Type
The following example shows how to generate a report which includes the items of the notselected result type, but suppress the informational result type:
% compliance report -s notselected,-informational -a CHECK /var/share/compliance/assessments/CHECK/report.-informational,notselected.html
Directory of compliance programs, data, and test benchmarks.
Directory of packaged compliance benchmarks.
Directory of compliance assessment and reports.
See attributes (5) for descriptions of the following attributes:
Solaris Security Guidelines
The compliance command is executed against only the current operating system image. If other zones or domains need to be verified, separate invocations of compliance should be made.
Users may use the following command to determine which version of the solaris benchmark being used for assessments:
% pkg info solaris-policy