Go to main content

Oracle® Solaris 11.3 Security Compliance Guide

Exit Print View

Updated: March 2018

Creating Tailorings From Compliance Benchmarks

The benchmarks that Oracle Solaris provides might report failures or false positives that do not accurately reflect the compliance of particular systems. For these systems, you can create tailorings, which are inclusions or exclusions of rules, or modifications of rules with variable values, from these benchmarks. Rules with variable values are explicitly marked in the interface. By modifying a variable used in a rule, you can include the rule while providing a more fine-grained expression of your security policy. You can then use these tailorings to assess the security posture of your site.

You create a tailoring by including or excluding rules from a benchmark, profile, or tailoring, then saving the new rule set under a different name. You can create multiple tailorings from a source benchmark and the tailorings are independent of each other. Every tailoring has a unique name.

You can use tailorings to assess the compliance of systems to a few rules or to many rules. You can save a tailoring in a form to be incorporated in an IPS package for installation on many systems. See How to Create a Package Manifest for a Tailoring.

Users who are assigned the Compliance Assessor rights profile can create tailorings and run assessments and reports. For details, see Rights to Run the compliance Command. To create a tailoring, you modify the selection of rules in a benchmark or profile. You do not and cannot modify the rules themselves. Because the source of a tailoring is a particular benchmark, that benchmark must be installed on a system where you run the tailoring.

Tip  -  Before creating a tailoring, print the table of contents for your source benchmark or profile. The table of contents contains the titles and numbers of the rules that you might want to exclude or include in your tailoring. Good sources for a table of contents are the guide for a benchmark or a compliance report in HTML format.
  • If the tailoring will modify only a few rules from the source, start the tailoring by excluding all rules (exclude -a), then include the few rules you want or change the variable values of certain rules.
  • Otherwise, exclude or include a few rules from the source benchmark or profile, or change the variable values of certain rules.