The compliance package is required to run assessments and reports. By default, the solaris-small-server and solaris-large-server packages include the compliance package. The solaris-desktop and solaris-minimal packages do not include the compliance package. To manage the assessment directories and reports in the repository requires privilege.
You can create assessment reports for benchmarks, profiles, and tailorings. For information about tailorings, see Creating Tailorings From Compliance Benchmarks. You can run a specified assessment on a system at regular intervals, as described in Running Assessments at Regular Intervals.
In this procedure, you create assessment reports locally.
Before You Begin
You must be assigned the Software Installation rights profile to add packages to the system. You must be assigned administrative rights for most compliance commands, as described in Rights to Run the compliance Command. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
$ pkg install compliance
The following message indicates that the package is installed:
No updates necessary for this image.
For more information, see the pkg(1) man page.
$ compliance list -p Benchmarks: pci-dss: Solaris_PCI-DSS solaris: Baseline, Recommended Assessments: No assessments available
$ pfexec compliance assess -p profile -b benchmark -a assessment-name
Indicates the name of the profile. The profile name is case sensitive.
Indicates the name of the benchmark. The benchmark name is case sensitive.
Optional. Indicates the name of the assessment. The default name includes a time stamp.
For example, the following command assesses the system using the Recommended profile and creates an assessment directory in the compliance repository for the assessment named recommended.
$ pfexec compliance assess -p Recommended -b solaris -a recommended
After the command completes, the reports are stored in a plain text log file named log, an XML file named results.xccdf.xml, and an HTML file named report.html.
$ pfexec compliance list -v -a recommended recommended: log report.html results.xccdf.xml
If you run the same compliance assess command again, the files are not replaced. Supply a different name for the directory or do not use the –a option.
You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer.
For example, to view report.html, type the following browser entry:
file:///var/share/compliance/assessments/recommended/report.html