Go to main content

Oracle® Solaris 11.4 Compliance Guide

Exit Print View

Updated: August 2021
 
 

How to Create a Tailoring From a Compliance Benchmark

Before You Begin

You must be assigned the Compliance Assessor rights profile to create a tailoring that can be added to the system store. For more information, see Rights to Run Compliance Assessments and Reports and Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Open the compliance editor.

    The following command sets options on the command line and opens the pick screen.

    $ pfexec compliance tailor -t basic
    *** compliance tailor: Can't get existing tailor "basic", initializing
    tailoring:basic> set benchmark=solaris
    tailoring:basic> exclude -a
    tailoring:basic> pick

      where:

    • basic is the name of the tailoring

    • solaris is the source benchmark

    • exclude -a loads the solaris benchmark with none of the rules included

    • pick opens the pick screen

    The pick screen displays all of the rules in the solaris benchmark. None of them are included.

  2. On the pick screen, use the keyboard to include particular rules, exclude rules, and navigate.
    • The spacebar toggles between including and excluding an entry.

    • An x indicates an excluded rule.

    • A greater-than symbol (>) in reverse video indicates an included rule. No x is a second indication that the rule is included.

    • An exit or ESC returns you to the compliance tailor command line in interactive mode.

  3. Include a few basic rules.

    For example, you might include the rules OSC-53005, OSC-16005, OSC-35000, OSC-46000, OSC-01511, OSC-04511, and OSC-75511.

  4. (Optional)Display the contents of the tailoring.
    tailoring:basic> export
    set tailoring=basic
    # version=2016-09-07T22:07:02.000+00:00
    set benchmark=solaris
    exclude -a
    # OSC-53005: The OS version is current
    include OSC-53005
    # OSC-16005: All local filesystems are ZFS
    include OSC-16005
    # OSC-35000: /etc/motd and /etc/issue contain appropriate policy text
    include OSC-35000
    # OSC-46000: Passwords must be at least 8 characters long
    include OSC-46000
    # OSC-01511: Address Space Layout Randomization (ASLR) is enabled
    include OSC-01511
    # OSC-04511: Booting the system should require a password
    include OSC-04511
    # OSC-75511: Stacks are non-executable
    include OSC-75511
    tailoring:basic>

    Tailorings that you create with the compliance tailor declare the benchmark and profile inside them.

  5. Commit your changes then exit the command-line interface.
    tailoring:basic> commit
    tailoring:basic> exit
    #
  6. Test the tailoring and evaluate the output.
    $ pfexec compliance assess -t basic
    Assessment will be named 'basic.2016-09-07,07:07'
    Title   The OS version is correct
    Rule    OSC-53005
    Result  pass
    ...
    Title   Stacks are non-executable
    Rule    OSC-75511
    Result  pass
  7. (Optional)Display the assessment report in a browser.
    1. Locate the assessment.
      # compliance report
      /var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html
    2. Load the assessment into the browser.

      The following example shows a sample browser entry:

      file:///var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html
Example 3  Loading a Different Tailoring

In this example, the administrator loads tailorings that are stored but not in current use.

$ pfexec compliance tailor
tailoring>list
basic
firsttest
testg
tailoring>load firsttest
tailoring:firsttest>info
    tailoring=firsttest
    benchmark=solaris
    profile: not set
tailoring:firsttest>load testg
tailoring:testg>