After testing your new tailoring thoroughly, you can create an IPS package to install the new rules file. The package manifest is an early step in package creation. For the steps in creating a package, see Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4.
$ pfexec compliance tailor -t basic tailoring:basic> export -x -o basic.xccdf.xml tailoring:basic> exit
The following output shows a sample template for a package manifest for a tailoring. This tailoring is based on the solaris benchmark, so the tailoring package is dependent on the solaris-policy package, which installs the solaris benchmark. The items in bold in the manifest are invariant. Long lines are continued on an indented second line for ease of reading. In the manifest, the lines are not broken.
$ pfedit solaris-basic.p5m set name=pkg.fmri value=pkg://publisher-name/hierarchical-namepkg-name@mainVersion.revision set name=pkg.summary value="summary" set name=pkg.description value="description" file ./exported-rules-file group=group mode=permissions owner=owner path=usr/lib/compliance/benchmarks/solaris/tailorings/installed-rules-file.xml depend fmri=pkg:/security/compliance/benchmark/solaris-policy type=require
pkg.fmri value= specifies the full name of the package. You provide this name. The publisher name is optional. You can provide it here or when you publish the package.
pkg.summary value= specifies the information that displays in the Summary field of the pkg info mainVersion command. You write the summary.
pkg.description value= specifies the information that displays in the Description field of the pkg info mainVersion command. You write the description.
file specifies where the tailoring is installed. The specification includes the source name and the installed name of the rules file for the tailoring, the directory location of the installed file without the initial slash (usr/lib/compliance/benchmarks/solaris/tailorings), and DAC permissions. The DAC permissions and location are fixed. You provide the name of the rules file that the package installs on the system. The name of the source rules file can be different from its installed version.
depend specifies that the package that delivers the source benchmark for your tailoring will be installed on your system if it is not already installed. This entry is required.
Because basic tailoring is based on the solaris benchmark, the solaris-policy package will be installed on your system if it is not already installed. The solaris-policy package installs the directory /usr/lib/compliance/benchmarks/solaris/tailorings where your tailoring file is placed. To view the specification of this package, type the pkg contents -m solaris-policy command.
Caution - In your package manifest, do not duplicate a path that has already been specified by a package that your package depends on.
In this sample manifest, the solaris-basic.exportx.xml file from the example-IT repository is installed as the file basic.xccdf.xml.
set name=pkg.fmri value=pkg://example-ITemail@example.com set name=pkg.summary value="Tailors a basic Solaris compliance assessment for all systems" set name=pkg.description value="This Solaris basic tailoring is applicable to all systems, development and production. All Oracle Solaris systems are expected to pass the rules in this tailoring." file ./solaris-basic.exportx.xml group=sys mode=0555 owner=root path=usr/lib/compliance/benchmarks/solaris/tailorings/basic.xccdf.xml depend fmri=pkg:/security/compliance/benchmark/solaris-policy type=require
This example shows how to create a package manifest for a tailoring for NFS clients. The source name of the rules selection file is solaris-Baseline-nfs-client.exportx.xml. Its installed version is nfs-client.xccdf.xml. The tailoring is based on the Baseline profile of the solaris benchmark, so the package is dependent on the solaris-policy package.
Export the tailoring and quit the editor.
$ pfexec compliance tailor -t solaris-Baseline-nfs-client tailoring:solaris-Baseline-nfs-client> export -x -o sB-nfs-client.exportx.xml tailoring:solaris-Baseline-nfs-client> exit
Create a manifest with the package name and fill out the manifest.
$ pfedit /home/ooyl/packages/tailorings/solaris-Baseline-nfs-client.p5m
set name=pkg.fmri value=pkg://corporate-IT/security/compliance/tailorings/ solaris-Baselinefirstname.lastname@example.org set name=pkg.summary value="An NFS client tailoring for Solaris Baseline systems." set name=pkg.description value="This NFS tailoring is an adjunct to the solaris.Baseline profile. Assess all NFS client systems with this nfs-client tailoring." file ./sB-nfs-client.exportx.xml group=sys mode=0555 owner=root path=usr/lib/compliance/benchmarks/solaris/tailorings/nfs-client.xccdf.xml depend fmri=pkg:/security/compliance/benchmark/solaris-policy type=require
In this example, an administrator has installed two tailoring packages and has a tailoring testing file. solaris/ indicates that the installed tailoring packages are based on the solaris benchmark.
$ compliance tailor list solaris/basic solaris/RKerberos testBaselinePlus
The Compliance Assessor administrator runs the installed tailorings assessments and views the results in a browser.
The administrator runs assessments for both tailorings.
$ pfexec compliance assess -t solaris/basic Assessment will be named "basic.2015-11-11,10:10" Title The OS version is correct Rule OSC-53005 Result pass ... % compliance report /var/share/compliance/assessments/12341111-1111-1111-1111-12345678abcd/report.html
$ pfexec compliance assess -t solaris/RKerberos Assessment will be named "RKerberos.2015-11-11,10:20" ... Title Service svc:/network/rpc/gss is enabled Rule OSC-62511 Result pass ... $ compliance report /var/share/compliance/assessments/abcd1111-1111-1111-1111-12345678abcd/report.html
The administrator views the reports by typing the following entries in a browser.
To complete the testing and delivery of this package, see Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4. You should sign your tailoring packages. The packaging utility includes other attributes, such as facets, that you might want to use in the package manifest.