Go to main content

Oracle® Solaris 11.3 Security Compliance Guide

Exit Print View

Updated: March 2018
 
 

Running Assessments and Reports

The compliance package is required to run assessments and reports. By default, the solaris-small-server and solaris-large-server packages include the compliance package. The solaris-desktop and solaris-minimal packages do not include the compliance package. To manage the assessment directories and reports in the repository requires privilege.

You can create assessment reports for benchmarks, profiles, and tailorings. For information about tailorings, see Creating Tailorings From Compliance Benchmarks. You can run a specified assessment on a system at regular intervals, as described in Running Assessments at Regular Intervals.

How to Run Assessments and Reports

In this procedure, you create assessment reports locally.

Before You Begin

You must be assigned the Software Installation rights profile to add packages to the system. You must be assigned administrative rights for most compliance commands, as described in Rights to Run the compliance Command. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Install the compliance package in every zone where you plan to run compliance tests. 
    $ pkg install compliance

    The following message indicates that the package is installed:

    No updates necessary for this image.

    For more information, see the pkg(1) man page.

  2. List the benchmarks and profiles that are available. 
    $ compliance list -p
Benchmarks:
pci-dss:        Solaris_PCI-DSS
solaris:        Baseline, Recommended
Assessments:
      No assessments available
  3. Create an assessment. 
    $ pfexec compliance assess -p profile -b benchmark -a assessment-name
    –p profile

    Indicates the name of the profile. The profile name is case sensitive.

    –b benchmark

    Indicates the name of the benchmark. The benchmark name is case sensitive.

    –a assessment-name

    Optional. Indicates the name of the assessment. The default name includes a time stamp.

    For example, the following command assesses the system using the Recommended profile and creates an assessment directory in the compliance repository for the assessment named recommended.

    $ pfexec compliance assess -p Recommended -b solaris -a recommended

    After the command completes, the reports are stored in a plain text log file named log, an XML file named results.xccdf.xml, and an HTML file named report.html.

    $ pfexec compliance list -v -a recommended
recommended:      log report.html results.xccdf.xml

    If you run the same compliance assess command again, the files are not replaced. Supply a different name for the directory or do not use the –a option.

  4. View the full report.

    You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer.

    For example, to view report.html, type the following browser entry:

    file:///var/share/compliance/assessments/recommended/report.html
  5. Fix any failures that must pass.
    1. Complete the fix for the entry that failed.
    2. If the fix includes rebooting the system, reboot the system before running the assessment again.
Copyright © 2002, 2018, Oracle and/or its affiliates. All rights reserved. 
Previous
Next