Before You Begin
You must be assigned the Compliance Assessor rights profile to create a tailoring that can be added to the system store. For more information, see Rights to Run Compliance Assessments and Reports and Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
$ pfexec compliance tailor -t basic *** compliance tailor: Can't get existing tailor "basic", initializing tailoring:basic> set benchmark=solaris tailoring:basic> exclude -a tailoring:basic> pick
basic is the name of the tailoring
solaris is the source benchmark
exclude -a loads the solaris benchmark with none of the rules included
pick opens the pick screen
The pick screen displays all of the rules in the solaris benchmark. None of them are included.
The spacebar toggles between including and excluding an entry.
An x indicates an excluded rule.
A greater-than symbol (>) in reverse video indicates an included rule. No x is a second indication that the rule is included.
An exit or ESC returns you to the compliance tailor command line in interactive mode.
For example, you might include the rules OSC-53005, OSC-16005, OSC-35000, OSC-46000, OSC-01511, OSC-04511, and OSC-75511.
tailoring:basic> export set tailoring=basic # version=2016-09-07T22:07:02.000+00:00 set benchmark=solaris exclude -a # OSC-53005: The OS version is current include OSC-53005 # OSC-16005: All local filesystems are ZFS include OSC-16005 # OSC-35000: /etc/motd and /etc/issue contain appropriate policy text include OSC-35000 # OSC-46000: Passwords must be at least 8 characters long include OSC-46000 # OSC-01511: Address Space Layout Randomization (ASLR) is enabled include OSC-01511 # OSC-04511: Booting the system should require a password include OSC-04511 # OSC-75511: Stacks are non-executable include OSC-75511 tailoring:basic>
Tailorings that you create with the compliance tailor declare the benchmark and profile inside them.
tailoring:basic> commit tailoring:basic> exit #
$ pfexec compliance assess -t basic Assessment will be named 'basic.2016-09-07,07:07' Title The OS version is correct Rule OSC-53005 Result pass ... Title Stacks are non-executable Rule OSC-75511 Result pass
# compliance report /var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html
The following example shows a sample browser entry:
In this example, the administrator loads tailorings that are stored but not in current use.
$ pfexec compliance tailor tailoring>list basic firsttest testg tailoring>load firsttest tailoring:firsttest>info tailoring=firsttest benchmark=solaris profile: not set tailoring:firsttest>load testg tailoring:testg>