To measure security compliance, hereafter called compliance, requires a set of rules that define a security benchmark or profile; a measurement of compliance to that benchmark, called an assessment; and then a report of the findings. The report can also be printed in guide form for training or archiving purposes.
# pkg update compliance@latest
Oracle Solaris provides the compliance command to measure security compliance. The command can generate, list, and delete assessments and reports. While any user can view compliance reports, you must have rights to manage and generate assessments. For more information, see Rights to Run Compliance Assessments and Reports and the compliance(8) man page.
Many compliance commands can check remote systems as well as local systems. When you have completed Configuring Administrators to Run Remote Compliance Commands, the following compliance subcommands can run either remotely or locally:
Runs a compliance assessment. See Running Assessments and Reports.
Deletes the specified assessment. For examples, see Using Metadata to Manage Assessments.
Lists the details of the rules in a specified benchmark or profile. See the compliance(8) man page.
Gets the default parameters of the compliance assess command.
Shows the compliance policy that is in effect on the specified system. See Setting Policy and Assessment Options.
Lists the benchmarks, profiles, and rosters on a specified system. See Listing Compliance Information and Locating Assessments and Reports.
Sets the default parameters for the compliance assess command.
Sets the default compliance policy for a specified system. See Setting Policy and Assessment Options.
The following compliance subcommands run on the local system only:
Creates a guide of the compliance rules that are available on the system. See New Guides for New Benchmarks.
Shows the location of assessment reports. See Compliance Reports and Guides.
Creates, modifies, and lists rosters, which are scripts that specify a set of systems to be assessed and the options of each assessment. See Running Multiple Remote Assessments.
Copies specified assessments, including all associated reports, to a remote assessment store. See Using a Common Store for Compliance Assessments.
Creates, modifies, and lists tailorings, which are customized sets of compliance rules. See Creating Tailorings From Compliance Benchmarks.
For mounted file systems, best practice is to separately test the compliance of the clients and the servers. For example, if you mount user home directories from central servers, run the compliance assess command on the user systems and on every home directory server. For how to run assessments on remote systems from a terminal window on your local system, see Running Remote Assessments on One or More Systems.
Oracle Solaris provides two rights profiles to handle compliance assessment and report generation.
The Compliance Assessor rights profile enables users to perform assessments, place them in the assessment store in report format, and delete assessments from the store.
The Compliance Reporter rights profile enables users to locate and display existing assessments.
Compliance subcommands require the following rights:
compliance list command – Requires read access to the assessment store to list and read assessments, reports, and any tailorings that are not yet packaged. Users with basic rights can list benchmarks, profiles, and packaged tailorings.
compliance report command – Requires read access to the assessment store to generate new reports. Users who are assigned the Compliance Assessor rights profile can generate reports and read the reports. Users with the Compliance Reporter rights profile can read the reports.
The compliance rules, benchmarks, profiles, and commands are available in the pkg:/security/compliance package. The solaris-small-server and solaris-large-server package groups install this package.
For information about package groups, see Installing the Oracle Solaris OS in Oracle Solaris 11.4 Security and Hardening Guidelines.
For a description of the compliance package, issue the pkg info compliance command.