Go to main content

Oracle® SuperCluster M8 and SuperCluster M7 Security Guide

Exit Print View

Updated: June 2020
 
 

Generate a Compliance Assessment

To perform this task, you must be assigned the Software Installation rights profile to add packages to the system. You must be assigned administrative rights for most compliance commands.

  1. Install the compliance package. 
    # pkg install compliance

    This message indicates that the package is installed:

    No updates necessary for this image.

    For more information, refer to the pkg(1) man page.

    Note -  Install the package in every zone where you plan to run compliance tests.
  2. List available benchmarks, profiles, and any previous assessments.

    In this example, there are two benchmarks.

    • pci-dss – includes one profile called Solaris_PCI-DSS

    • solaris – includes two profiles called Baseliine and Recommended

    # compliance list -p
Benchmarks:
pci-dss: Solaris_PCI-DSS
solaris: Baseline, Recommended
Assessments:
No assessments available
  3. Generate a compliance assessment.

    Run the compliance command with this syntax:

    compliance assess -b benchmark -p profile
    -b
    Specifies a particular benchmark. if not specified, the value defaults to solaris.
    -p
    Specifies the profile. The profile name is case sensitive. if not specified, the value defaults to the first profile.

    Examples:

    • Using the Recommended profile.

      # compliance assess -b solaris -p Recommended

      The command creates a directory in /var/share/compliance/assessments that contains the assessment in three files: a log file, an XML file, and an HTML file.

    • Using the PCI-DSS profile:

      # compliance assess -b pci-dss
    Note -  The pci-dss benchmark only has one profile, so the profile option (-p) is not required on the command line.
  4. Verify that compliance files were created. 
    # cd /var/share/compliance/assessments/filename_timestamp
# ls
recommended.html
recommended.txt
recommended.xml
    Note -  If you run the same compliance command again, the files are not replaced. You must remove the files before reusing an assessment directory.
  5. (Optional) Create a customized report.

    You can run customized reports repeatedly. However, you can only run the assessment once in the original directory.

    In this example, the -s option is used to select which result types should appear in the report.

    By default, all result types appear in the report except notselected or notapplicable. The result types are specified as a comma separated list to display in addition to the default. Individual results types can be suppressed by preceding them with a -, while starting the list with an = specifies exactly which result types should be included. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, or fail.

    # compliance report -s -pass,fail,notselected
/var/share/compliance/assessments/filename_timestamp/report_A.html

    This command creates a report that contains failed and not selected items in HTML format. The report is run against the most recent assessment.

  6. View the full report.

    You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer. For example, to view the customized HTML report from the preceding step, type the following browser entry:

    file:///var/share/compliance/assessments/filename_timestamp/report_A.html
  7. Fix any failures that your security policy requires to pass.

    If the fix includes rebooting the system, reboot the system before running the assessment again.

  8. Repeat the assessment until there are no failures.
Copyright © 2020, Oracle and/or its affiliates.  
Previous
Next