Compliance assessments are complete. Reports can include every item in the assessment or can include a subset of the information in the assessment. Run assessments regularly, for example, as a cron job, to monitor the compliance of your system.
By default, the solaris-small-server and solaris-large-server packages include the compliance package. The solaris-desktop and solaris-minimal packages do not include the compliance package.
Before You Begin
You must be assigned the Software Installation rights profile to add packages to the system. You must be assigned administrative rights for most compliance commands, as described in Rights to Run the compliance Command. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
# pkg install compliance
The following message indicates that the package is installed:
No updates necessary for this image.
For more information, see the pkg(1) man page.
# compliance list -p Benchmarks: pci-dss: Solaris_PCI-DSS solaris: Baseline, Recommended Assessments: No assessments available # compliance -p profile -a assessment-directory
Indicates the name of the profile. The profile name is case sensitive.
Indicates the directory name of the assessment. The default name includes a time stamp.
For example, the following command creates an assessment using the Recommended profile.
# compliance -p Recommended -a recommended
The command creates a directory in /var/share/compliance/assessments named recommended that contains the assessment in three files: a log file, an XML file, and an HTML file.
# cd /var/share/compliance/assessments/recommended # ls recommended.html recommended.txt recommended.xml
If you run this command again, the files are not replaced. You must remove the files before reusing an assessment directory.
# compliance report -s -pass,fail,notselected /var/share/compliance/assessments/recommended/report.-pass,fail,notselected.html
This command creates a report that contains failed and not selected items in HTML format. The report is run against the most recent assessment.
You can run customized reports repeatedly. However, you can run the full reports, that is, the assessment, only once in the original directory.
You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer.
For example, to view the customized HTML report from the preceding step, type the following browser entry:
file:///var/share/compliance/assessments/recommended/report.-pass,fail,notselected.html
# cron -e
For daily compliance assessments at 2:30 a.m., root adds the following entry:
30 2 * * * /usr/bin/compliance assess -b solaris -p Baseline
For weekly compliance assessments at 1:15 a.m. Sundays, root adds the following entry:
15 1 * * 0 /usr/bin/compliance assess -b solaris -p Recommended
For monthly assessments on the first of the month at 4:00 a.m., root adds the following entry:
0 4 1 * * /usr/bin/compliance assess -b pci-dss
For assessments on the first Monday of the month at 3:45 a.m., root adds the following entry:
45 3 1,2,3,4,5,6,7 * 1 /usr/bin/compliance assess
# compliance guide -a
A guide contains the rationale for each security check and the steps to fix a failed check. Guides can be useful for training and as guidelines for future testing. By default, guides for each security profile are created at installation. If you add or change a benchmark, you might create a new guide.