To measure security compliance, hereafter called compliance, requires a set of rules that define a security benchmark or profile; a measurement of compliance to that benchmark, called an assessment; and then a report of the findings. The report can also be printed in guide form for training or archiving purposes.
Oracle Solaris provides the compliance command to measure security security compliance. The command can generate, list, and delete assessments and reports. While any user can view compliance reports, you must have rights to manage and generate assessments. For more information, see Rights to Run the compliance Command and the compliance(1M) man page.
The compliance command checks local files only. If your system mounts file systems, you must separately test the compliance of the clients and the servers. For example, if you mount user home directories from central servers, run the command on the user systems and on every home directory server.
Oracle Solaris provides two rights profiles to handle compliance assessment and report generation.
The Compliance Assessor rights profile enables users to perform assessments, place them in the assessment store in report format, and delete assessments from the store.
The Compliance Reporter rights profile enables users to locate and display existing assessments.
Compliance subcommands require the following rights:
compliance assess command – Requires all privileges and the solaris.compliance.assess authorization. The Compliance Assessor rights profile provides these rights.
compliance delete command – Requires write access to the assessment store and the solaris.compliance.assess authorization. The Compliance Assessor rights profile provides these rights.
compliance list command – Can be run by anyone who has basic rights. This command provides full visibility to both benchmarks and assessments.
compliance report command – Can be run by anyone, but the range of functionality varies according the user's rights. Users who are assigned either the Compliance Assessor or Compliance Reporter profile can generate new reports in the assessment store. All users can view existing reports, but users with only basic rights cannot generate reports.
compliance tailor command – Can be run by users who are assigned the Compliance Assessor profile.
The compliance rules, benchmarks, profiles, and commands are available in the pkg:/security/compliance package. The solaris-small-server and solaris-large-server package groups install this package.
For information about package groups, see Installing the Oracle Solaris OS in Oracle Solaris 11.3 Security and Hardening Guidelines.
For information about packages, see Oracle Solaris 11.3 Package Group Lists.
For a description of the compliance package, issue the pkg info compliance command.