Go to main content

Oracle® Solaris 11.4 Compliance Guide

Exit Print View

Updated: August 2021
 
 

compliance Command and Package

To measure security compliance, hereafter called compliance, requires a set of rules that define a security benchmark or profile; a measurement of compliance to that benchmark, called an assessment; and then a report of the findings. The report can also be printed in guide form for training or archiving purposes.


Note - Consider updating the pkg:/security/compliance package periodically so that you can run the latest version of the benchmarks without having to change the version of Oracle Solaris 11.4. Run the following command:
# pkg update compliance@latest

Oracle Solaris provides the compliance command to measure security compliance. The command can generate, list, and delete assessments and reports. While any user can view compliance reports, you must have rights to manage and generate assessments. For more information, see Rights to Run Compliance Assessments and Reports and the compliance(8) man page.

Many compliance commands can check remote systems as well as local systems. When you have completed Configuring Administrators to Run Remote Compliance Commands, the following compliance subcommands can run either remotely or locally:

assess

Runs a compliance assessment. See Running Assessments and Reports.

delete

Deletes the specified assessment. For examples, see Using Metadata to Manage Assessments.

explain

Lists the details of the rules in a specified benchmark or profile. See the compliance(8) man page.

get-options

Gets the default parameters of the compliance assess command.

get-policy

Shows the compliance policy that is in effect on the specified system. See Setting Policy and Assessment Options.

list

Lists the benchmarks, profiles, and rosters on a specified system. See Listing Compliance Information and Locating Assessments and Reports.

set-options

Sets the default parameters for the compliance assess command.

set-policy

Sets the default compliance policy for a specified system. See Setting Policy and Assessment Options.

The following compliance subcommands run on the local system only:

guide

Creates a guide of the compliance rules that are available on the system. See New Guides for New Benchmarks.

report

Shows the location of assessment reports. See Compliance Reports and Guides.

roster

Creates, modifies, and lists rosters, which are scripts that specify a set of systems to be assessed and the options of each assessment. See Running Multiple Remote Assessments.

store

Copies specified assessments, including all associated reports, to a remote assessment store. See Using a Common Store for Compliance Assessments.

tailor

Creates, modifies, and lists tailorings, which are customized sets of compliance rules. See Creating Tailorings From Compliance Benchmarks.

For mounted file systems, best practice is to separately test the compliance of the clients and the servers. For example, if you mount user home directories from central servers, run the compliance assess command on the user systems and on every home directory server. For how to run assessments on remote systems from a terminal window on your local system, see Running Remote Assessments on One or More Systems.


Note - The compliance command automates compliance assessment, not remediation.

Rights to Run Compliance Assessments and Reports

    Oracle Solaris provides two rights profiles to handle compliance assessment and report generation.

  • The Compliance Assessor rights profile enables users to perform assessments, place them in the assessment store in report format, and delete assessments from the store.

  • The Compliance Reporter rights profile enables users to locate and display existing assessments.

    Compliance subcommands require the following rights:

  • compliance assess command – Requires all privileges and the solaris.compliance.assess authorization. The Compliance Assessor rights profile provides these rights.

  • compliance delete command – Requires write access to the assessment store and the solaris.compliance.assess authorization. The Compliance Assessor rights profile provides these rights.

  • compliance list command – Requires read access to the assessment store to list and read assessments, reports, and any tailorings that are not yet packaged. Users with basic rights can list benchmarks, profiles, and packaged tailorings.

  • compliance report command – Requires read access to the assessment store to generate new reports. Users who are assigned the Compliance Assessor rights profile can generate reports and read the reports. Users with the Compliance Reporter rights profile can read the reports.

  • compliance tailor command – Requires write access to the assessment store and the solaris.compliance.assess authorization. The Compliance Assessor rights profile provides these rights.

compliance Package