The compliance package is required to run assessments and reports. By default, the solaris-small-server and solaris-large-server packages include the compliance package. The solaris-desktop and solaris-minimal packages do not include the compliance package. To manage the assessment directories and reports in the repository requires privilege.
You can create assessment reports for benchmarks, profiles, and tailorings. For information about tailorings, see Creating Tailorings From Compliance Benchmarks. You can run a specified assessment on a system at regular intervals, as described in Running Assessments at Regular Intervals.
You can run assessments locally or remotely.
By default, the compliance assess command assesses the local system.
You can assess a remote system from your system by using the –N node-URI option, where node-URI specifies the remote system in remote administration daemon (RAD) URI format.
You can assess several systems from your system by using a roster of host names in RAD URI format. Roster assessments run asynchronously. You use the compliance roster command to create and manage rosters.
By adding the –s store-URI option to the compliance assess command, you can transfer assessments to a common store (store-URI). For running remote assessments and for storing assessments in a common store, see Centrally Managing Compliance Assessments.
In this procedure, you create assessment reports locally.
Before You Begin
You must be assigned the Software Installation rights profile to add packages to the system. You must be assigned administrative rights for most compliance commands, as described in Rights to Run Compliance Assessments and Reports. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
$ pkg install compliance
The following message indicates that the package is installed:
No updates necessary for this image.
For more information, see the pkg(1) man page.
$ pkg install benchmark/ehc-solaris-policy
$ compliance list -vp ehc: Standard Oracle Enterprise Health Check (EHC) tests pci-dss: Solaris_PCI-DSS PCI-DSS Security/Compliance benchmark for Oracle Solaris solaris: Baseline, Recommended Oracle Solaris Security Policy
$ pfexec compliance assess -p profile -b benchmark -a assessment-name
Indicates the name of the profile. The profile name is case sensitive.
Indicates the name of the benchmark. The benchmark name is case sensitive.
Optional. Indicates the name of the assessment. The default name includes a time stamp.
$ pfexec compliance assess -p Recommended -b solaris -a recommended
$ pfexec compliance report -a recommended /var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html
If you run the same compliance assess command again, the files are not replaced. The system differentiates the assessments by UUID. For example:
$ compliance list -a recommended recommended UUID: 12345678-1111-1111-1111-12345678abcd UUID: ab345678-1111-1111-1111-12345678abcd
You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer.
To display an earlier assessment, use its UUID in the browser entry, as in: