Before You Begin
You must be assigned the Compliance Assessor rights profile to schedule assessments that can be added to the assessment store. To run the svccfg, you must be assigned the Service Configuration rights profile. For more information, see Rights to Run the compliance Command and Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
$ compliance get-policy Benchmark: solaris Profile: Baseline Tailoring:
$ compliance list -p pci-dss: Solaris_PCI-DSS solaris: Baseline, Recommended $ compliance list -t basic RKerberos
You can also use the compliance tailor list command to list the available tailorings.
In this example, you assign an existing tailoring as the default policy.
$ pfbash ; compliance set-policy -t RKerberos $ compliance get-policy Benchmark: Profile: Tailoring: RKerberos
$ svccfg -s compliance:default delcust $ svccfg -s compliance:default listprop scheduled scheduled schedule scheduled/frequency integer 1 scheduled/interval astring week
$ svccfg -s compliance:default setprop scheduled/property = type: value $ svccfg -s compliance:default listprop scheduled scheduled schedule scheduled/frequency integer 1 scheduled/interval astring week scheduled/property type value $ svcadm refresh compliance:default
Several properties are defined for scheduled services, such as scheduled/hour and scheduled/day_of_week. For examples of these properties, see Example 11, Scheduling the Weekday and Hour of an Assessment and Example 12, Running a Policy Assessment Daily. For more information, see How to Schedule a Periodic or Scheduled Service in Managing System Services in Oracle Solaris 11.3 and the svc.periodicd(1M).
$ svcadm refresh compliance:default
$ svcs -x compliance:default svc:/application/security/compliance:default (Scheduled compliance assessment) State: disabled since Fri Jan 8 10:10:10 2016 Reason: Disabled by an administrator. See: http://support.oracle.com/msg/SMF-8000-05 See: compliance(1M) See: /var/svc/log/application-security-compliance:default Impact: This service is not running. $ svcadm enable compliance:default $ svcs compliance:default STATE STIME FMRI online 10:21:22 svc:/application/security/compliance:default
$ svcs -o lrun,nrun compliance:default LRUN NRUN Jan_08
$ svcs -o lrun,nrun compliance:default LRUN NRUN 02:10:10 Jan_08
$ pfexec compliance report /var/compliance/assessments/solaris/tailoring1/tailoring1.2016-01-03,02:11/report.html
file:///var/compliance/assessments/solaris/tailoring/tailoring.2016-01-03,02:11/report.html
This example sets the default policy to the Recommended profile of the solaris benchmark.
$ compliance list -p pci-dss: Solaris_PCI-DSS solaris: Baseline, Recommended $ compliance set-policy -b solaris -p Recommended $ compliance get-policy Benchmark: solaris Profile: Recommended Tailoring:Example 10 Setting the Default Policy to an Installed Tailoring
This example sets the default policy to a tailoring that was installed as a package. This example assumes that RKerberos was installed as a package on this system.
$ compliance set-policy -b solaris -t RKerberos $ compliance get-policy Benchmark: solaris Profile: Recommended Tailoring: RKerberos
For the contents of the RKerberos tailoring, see Example 5, Creating a Kerberos Tailoring From the Recommended Profile.
Example 11 Scheduling the Weekday and Hour of an AssessmentIn this example, the root role adds to the default schedule by specifying the day of the week and the hour that the assessment should run. After refreshing the service, root checks that the new schedule is valid.
$ svccfg -s compliance:default setprop scheduled/day = astring: Sunday $ svccfg -s compliance:default setprop scheduled/hour = integer: 2 $ svccfg -s compliance:default listprop scheduled scheduled schedule scheduled/frequency integer 1 scheduled/interval astring week scheduled/day astring Sunday scheduled/hour integer 2 $ svcadm refresh compliance:default $ svcs -x compliance:default svc:/application/security/compliance:default (Scheduled compliance assessment) State: online since Fri Jan 08 11:11:11 2016 ...Example 12 Running a Policy Assessment Daily
In this example, the root role changes the assessment to run daily after 2 a.m. After refreshing the service, root checks that the new schedule is in effect.
$ pfbash ; svccfg -s compliance:default setprop scheduled/interval = astring: day $ svccfg -s compliance:default setprop scheduled/hour = integer: 2 $ svcadm refresh compliance:default $ svccfg -s compliance:default listprop scheduled scheduled schedule scheduled/frequency integer 1 scheduled/interval astring day scheduled/hour integer 2 $ svcs compliance:default STATE STIME FMRI online 11:11:11 svc:/application/security/compliance:default $ svcs -o lrun,nrun compliance:default LRUN NRUN - Jan_08