Go to main content

Oracle® Solaris 11.3 Security Compliance Guide

Exit Print View

Updated: March 2018
 
 

How to Create a Package Manifest for a Tailoring

After testing your new tailoring thoroughly, you can create an IPS package to install the new rules file. The package manifest is an early step in package creation. For the steps in creating a package, see Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.3.

  1. Export a thoroughly tested tailoring.
    $ pfexec compliance tailor -t basic
    tailoring:basic> export -x -o basic.xccdf.xml
    tailoring:basic> exit

    The package that you create installs this file.

  2. Create a manifest with the package name and the suffix .p5m.

    Tip  -  Create your manifest in a working directory that will not be overwritten during updates, such as your home directory.

    The following output shows a sample template for a package manifest for a tailoring. This tailoring is based on the solaris benchmark, so the tailoring package is dependent on the solaris-policy package, which installs the solaris benchmark. The items in bold in the manifest are invariant. Long lines are continued on an indented second line for ease of reading. In the manifest, the lines are not broken.

    $ pfedit solaris-basic.p5m
    set name=pkg.fmri value=pkg://publisher-name/hierarchical-namepkg-name@mainVersion.revision
    set name=pkg.summary value="summary"
    set name=pkg.description value="description"
    file ./exported-rules-file group=group mode=permissions owner=owner 
        path=usr/lib/compliance/benchmarks/solaris/tailorings/installed-rules-file.xml
    depend fmri=pkg:/security/compliance/benchmark/solaris-policy type=require

    where

    • pkg.fmri value= specifies the full name of the package. You provide this name. The publisher name is optional. You can provide it here or when you publish the package.

    • pkg.summary value= specifies the information that displays in the Summary field of the pkg info mainVersion command. You write the summary.

    • pkg.description value= specifies the information that displays in the Description field of the pkg info mainVersion command. You write the description.

    • file specifies where the tailoring is installed. The specification includes the source name and the installed name of the rules file for the tailoring, the directory location of the installed file without the initial slash (usr/lib/compliance/benchmarks/solaris/tailorings), and DAC permissions. The DAC permissions and location are fixed. You provide the name of the rules file that the package installs on the system. The name of the source rules file can be different from its installed version.

    • depend specifies that the package that delivers the source benchmark for your tailoring will be installed on your system if it is not already installed. This entry is required.

      Because basic tailoring is based on the solaris benchmark, the solaris-policy package will be installed on your system if it is not already installed. The solaris-policy package installs the directory /usr/lib/compliance/benchmarks/solaris/tailorings where your tailoring file is placed. To view the specification of this package, type the pkg contents -m solaris-policy command.


      Caution

      Caution  -  In your package manifest, do not duplicate a path that has already been specified by a package that your package depends on.


  3. Create a manifest file from an existing file.
    1. Use the following example text as your manifest file.

      In this sample manifest, the solaris-basic.exportx.xml file from the example-IT repository is installed as the file basic.xccdf.xml.

      set name=pkg.fmri value=pkg://example-IT/security/compliance/tailorings/solaris-basic@1.0
      set name=pkg.summary value="Tailors a basic Solaris compliance assessment for all
          systems"
      set name=pkg.description value="This Solaris basic tailoring is applicable to all
          systems, development and production. All Oracle Solaris systems are expected
          to pass the rules in this tailoring."
      file ./solaris-basic.exportx.xml group=sys mode=0555 owner=root
          path=usr/lib/compliance/benchmarks/solaris/tailorings/basic.xccdf.xml
      depend fmri=pkg:/security/compliance/benchmark/solaris-policy type=require
    2. Modify the file, then save it.

      Note -  Be careful when typing the content of a package manifest. Make sure you join the lines that were too long to display on a single line.
Example 6  Creating a Package Manifest for a Compliance Package for Oracle Solaris NFS Clients

    This example shows how to create a package manifest for a tailoring for NFS clients. The source name of the rules selection file is solaris-Baseline-nfs-client.exportx.xml. Its installed version is nfs-client.xccdf.xml. The tailoring is based on the Baseline profile of the solaris benchmark, so the package is dependent on the solaris-policy package.

  1. Export the tailoring and quit the editor.

    $ pfexec compliance tailor -t solaris-Baseline-nfs-client
    tailoring:solaris-Baseline-nfs-client> export -x -o sB-nfs-client.exportx.xml
    tailoring:solaris-Baseline-nfs-client> exit
  2. Create a manifest with the package name and fill out the manifest.

    $ pfedit /home/ooyl/packages/tailorings/solaris-Baseline-nfs-client.p5m
    set name=pkg.fmri value=pkg://corporate-IT/security/compliance/tailorings/
        solaris-Baseline-nfs-client@1.0
    set name=pkg.summary value="An NFS client tailoring for Solaris Baseline systems."
    set name=pkg.description value="This NFS tailoring is an adjunct to the solaris.Baseline
        profile. Assess all NFS client systems with this nfs-client tailoring."
    file ./sB-nfs-client.exportx.xml group=sys mode=0555 owner=root
        path=usr/lib/compliance/benchmarks/solaris/tailorings/nfs-client.xccdf.xml
    depend fmri=pkg:/security/compliance/benchmark/solaris-policy type=require

    Note -  A tailoring that is installed as a package is stored in the /usr/lib/compliance/benchmarks/name/tailorings directory.
Example 7  Creating Assessments and Reports From Tailorings

In this example, an administrator has installed two tailoring packages and has a tailoring testing file. solaris/ indicates that the installed tailoring packages are based on the solaris benchmark.

$ compliance tailor list
solaris/basic
solaris/RKerberos
testBaselinePlus

The Compliance Assessor administrator runs the installed tailorings assessments and views the results in a browser.

  1. The administrator runs assessments for both tailorings.

    $ pfexec compliance assess -t solaris/basic
    Assessment will be named "basic.2015-11-12,10:10"
    Title   The OS version is correct
    Rule    OSC-53005
    Result  pass
    ...
    % compliance report
    /var/compliance/assessments/solaris/basic/basic.2015-11-12,10:10/report.html
    $ pfexec compliance assess -t solaris/RKerberos
    Assessment will be named "RKerberos.2015-11-12,10:20"
    ...
    Title   Service svc:/network/rpc/gss is enabled
    Rule    OSC-62511
    Result  pass
    ...
    $ compliance report
    /var/compliance/assessments/solaris/RKerberos/RKerberos.2015-11-12,11:10/report.html
  2. The administrator views the reports by typing the following entries in a browser.

    file:///var/share/compliance/assessments/solaris/basic/basic.2015-11-12,10:10/report.html
    file:///var/share/compliance/assessments/solaris/RKerberos/RKerberos.2015-11-12,11:10/report.html

Next Steps

To complete the testing and delivery of this package, see Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.3. You should sign your tailoring packages. The packaging utility includes other attributes, such as facets, that you might want to use in the package manifest.