Go to main content

Oracle® Solaris 11.4 Compliance Guide

Exit Print View

Updated: August 2021
 
 

Running Assessments and Reports

The compliance package is required to run assessments and reports. By default, the solaris-small-server and solaris-large-server packages include the compliance package. The solaris-desktop and solaris-minimal packages do not include the compliance package. To manage the assessment directories and reports in the repository requires privilege.

You can create assessment reports for benchmarks, profiles, and tailorings. For information about tailorings, see Creating Tailorings From Compliance Benchmarks. You can run a specified assessment on a system at regular intervals, as described in Running Assessments at Regular Intervals.

    You can run assessments locally or remotely.

  • By default, the compliance assess command assesses the local system.

  • You can assess a remote system from your system by using the –N node-URI option, where node-URI specifies the remote system in remote administration daemon (RAD) URI format.

  • You can assess several systems from your system by using a roster of host names in RAD URI format. Roster assessments run asynchronously. You use the compliance roster command to create and manage rosters.

By adding the –s store-URI option to the compliance assess command, you can transfer assessments to a common store (store-URI). For running remote assessments and for storing assessments in a common store, see Centrally Managing Compliance Assessments.

How to Run Assessments and Reports Locally

In this procedure, you create assessment reports locally.

Before You Begin

You must be assigned the Software Installation rights profile to add packages to the system. You must be assigned administrative rights for most compliance commands, as described in Rights to Run Compliance Assessments and Reports. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Install the compliance package in every zone where you plan to run compliance tests.
    $ pkg install compliance

    The following message indicates that the package is installed:

    No updates necessary for this image.

    For more information, see the pkg(1) man page.

  2. Install the pkg:/solaris/compliance/benchmark/ehc-solaris-policy package in every zone where you plan to run the ehc benchmark.
    $ pkg install benchmark/ehc-solaris-policy
  3. List the benchmarks and profiles that are available.
    $ compliance list -vp
        ehc:    Standard
                Oracle Enterprise Health Check (EHC) tests
        pci-dss:        Solaris_PCI-DSS
                PCI-DSS Security/Compliance benchmark for Oracle Solaris
        solaris:        Baseline, Recommended
                Oracle Solaris Security Policy
  4. Create an assessment.
    $ pfexec compliance assess -p profile -b benchmark -a assessment-name
    –p profile

    Indicates the name of the profile. The profile name is case sensitive.

    –b benchmark

    Indicates the name of the benchmark. The benchmark name is case sensitive.

    –a assessment-name

    Optional. Indicates the name of the assessment. The default name includes a time stamp.

    For example, the following command assesses the system using the Recommended profile and creates an assessment directory in the compliance repository for the assessment named recommended.

    $ pfexec compliance assess -p Recommended -b solaris -a recommended

    After the command completes, the reports are stored in a plain text log file named log, an XML file named results.xccdf.xml, and an HTML file named report.html.

    $ pfexec compliance report -a recommended
    /var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html

    If you run the same compliance assess command again, the files are not replaced. The system differentiates the assessments by UUID. For example:

    $ compliance list -a recommended
    recommended
        UUID: 12345678-1111-1111-1111-12345678abcd
        UUID: ab345678-1111-1111-1111-12345678abcd
  5. View the full report.

    You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer.

    For example, to view the latest report.html, type the following browser entry:

    file:///var/share/compliance/assessments/ab345678-1111-1111-1111-12345678abcd/report.html

    To display an earlier assessment, use its UUID in the browser entry, as in:

    file:///var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html
  6. Fix any failures that must pass.
    1. Complete the fix for the entry that failed.
    2. If the fix includes rebooting the system, reboot the system before running the assessment again.