compliance - Administer security compliance tests
compliance [subcommand subcommand_options ...]
The compliance command administers security compliance policies.
The compliance command produces security guides, assessments, and reports using benchmarks and profiles. A guide is a document describing the policy of a benchmark and the tests made to ensure compliance to that policy. An assessment is an evaluation of the security configuration of a system, conducted against a benchmark. A benchmark is a programmatically-interpretable specification of acceptable ranges of the security parameters of a system. A profile selects which tests from a benchmark are to be evaluated in an assessment; a set of profiles is specified as part of the benchmark. A tailoring specifies a profile externally to a benchmark. A report is a form of the results of conducting an assessment.
The command has eight subcommands: assess, delete, get-policy, guide, list, report, set-policy, and tailor.
The assess subcommand tests the current system configuration against a benchmark and creates a results repository.
The –a option can be used to specify the name of the assessment repository. If this is not specified the value defaults to one based on the parameters of the assessment and when it was conducted.
The –b option can be used to specify the benchmark. The benchmark argument must be an installed named benchmark.
The assessment can be limited to the named profile by the use of the –p option. If the –p option is not specified, the value defaults to the first profile, if any, defined by the benchmark.
The –t option specifies that the assessment should be against the specified tailoring. If the –b option is specified, an installed tailoring is assumed as if the tailoring operand alone were benchmark/tailoring. Since the profile is implicitly specified by the tailoring, the –p option cannot be used in conjunction with the –t option.
If none of the –b, –p, and –t options are specified, the benchmark, profile, and tailoring are taken from the default policy. For more information, see the set-policy subcommand.
The user must have all zone privileges and the solaris.compliance.assess authorization to conduct assessments. A user assigned the Compliance Assessor rights profile has the rights to conduct assessments.
The delete subcommand removes the results repository for the specified assessment, including all associated reports.
The get-policy subcommand displays the default assessment policy. For more information, see the set-policy subcommand.
The guide subcommand provides the location of documentation describing the compliance requirements for a given benchmark in html format, generating if necessary the specific guide or guides for all installed benchmarks.
If the –a option is specified, guides are generated for all installed benchmarks and associated profiles.
In the case of an individual guide, the –b option can be used to specify the benchmark. The benchmark argument must be an installed named benchmark, and if not specified the value defaults to solaris.
If the –o option is specified, the guide is located at pathname.
The guide can be tailored to the named profile by the use of the –p option. If this option is not specified, the guide covers all profiles defined by the benchmark.
If the –o option is not specified or the –a option is specified, guides are located in the compliance guide storage. A user assigned either the Compliance Reporter or Compliance Assessor rights profile has the rights to generate such guides.
The list subcommand lists information about various compliance objects, such as, installed benchmarks, conducted assessments, and tailorings. By default, the benchmarks and assessments are listed one per line.
If the –a option and one or more assessment parameters are present, the information is restricted to the matching assessments.
If the –b option and one or more benchmark parameters are present, the information is restricted to the matching benchmarks.
If the –p option is specified, the profiles for each benchmark are listed.
If the –t option is specified, the tailorings are listed.
If the –v option is specified, additional descriptive information about each of the objects is included in the output.
The report subcommand provides the location of a report in the desired format for an assessment, generating the required format report if necessary.
The –a option can be used to specify the name of the assessment repository. If it is not specified, then the value defaults to the most recently conducted assessment.
The format of the compliance report can be selected by the –f option. Format options include log, xccdf, and html. The default format is html.
If the –o option is not specified, the report is located in the assessment storage. A user assigned either the Compliance Reporter or Compliance Assessor rights profile has the rights to generate such reports. If the –o option is specified, the report is located at pathname.
For reports in the html format, the –s option can be used to select which result types should appear in the report. By default, all result types appear in the report except notselected or notapplicable. The what operand is a comma-separated list of result types to display in addition to the default. Individual result types can be suppressed by preceding them with a '-', while starting the what list with an '=', it specifies exactly which result types should be included. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, or fail.
The set-policy subcommand modifies the default assessment policy. The default policy is used as the default parameters of the assess subcommand and for the scheduled assessment service. At least one of the –b and –t options must be specified.
The –b option specifies the default benchmark.
The –p option specifies the default profile. The –p option requires that the –b option also be specified. The –p option cannot be used with the –t option.
The –t option specifies the default tailoring.
The user must have the solaris.compliance.assess authorization to set the default policy. A user assigned the Compliance Assessor rights profile has such rights.
The tailor subcommand allows the user to create, view, edit, and manage tailorings. For more information, see the compliance-tailor(1M) man page.
The SMF service instance svc:/application/security/compliance:default can be used to automate scheduled assessments. The assessment parameters are taken from the default policy. For more information see the set-policy subcommand. The default instance is offline by default. For information on the scheduling parameters, see the svc.periodicd(1M) man page.
The SMF service instance svc:/application/security/compliance:generate-guide is used to automate generation of guide files in the compliance guide storage. The generate-guide instance is online by default. Guide files are generated during package/system installation if the FMRI is specified as an restart_fmri actuator. Based on the newness of the installed files, guides are (re)generated only as necessary.
The following exit values are returned:
The assess subcommand may return this value indicating success of the command but noncompliance of the assessed system.
The compliance command is delivered with a vendor-defined benchmark named solaris. The profiles of this benchmark are specified as thresholds, so that systems with more secure settings of individual configuration parameters can pass the profile. The solaris benchmark includes a Baseline profile corresponding to the default security configuration settings of a freshly-installed Oracle Solaris instance, and a Recommended profile corresponding to the vendor-recommended configuration for those systems where compatibility with prior versions of Oracle Solaris is not a constraint.
The following example shows how to display the installed named benchmarks on the system:
% compliance list -bv cis.v1.0 CIS Solaris 11 Security Benchmark, v1.0.0 pci.v2.0 Payment Card Industry Data Security Standard, v2.0 solaris Solaris Security PolicyExample 2 Displaying the Profiles for the Solaris Benchmark
The following example shows how to display the profiles for the solaris benchmark:
% compliance list -bp solaris solaris: Baseline RecommendedExample 3 Assessing of the System by Using the Recommended Profile for the Solaris Benchmark
The following example shows how to take an assessment of the system using the Recommended profile for the solaris benchmark, and store the results in the CHECK repository:
% compliance assess -p Recommended -b solaris -a CHECKExample 4 Generating a Report Which Includes the Items of the notselected Result Type
The following example shows how to generate a report including the items of the notselected result type, but suppress the informational result type:
% compliance report -s notselected,-informational -a CHECK /var/share/compliance/assessments/CHECK/report.-informational,notselected.htmlExample 5 Examining and Configuring Scheduled Assessments
The following example shows how to examine and configure scheduled assessments.
# view the current schedule % svccfg -s compliance:default listprop scheduled # view when last run and next to be run % svcs -o state,lrun,nrun,astate,fmri compliance:default # configure the scheduled assessment to run every Sunday at 1am % svccfg -s compliance:default setprop scheduled/interval = week % svccfg -s compliance:default setprop scheduled/day = astring: Sunday % svccfg -s compliance:default setprop scheduled/hour = integer: 1
Directory of compliance programs, data, and test benchmarks.
Directory of packaged compliance benchmarks.
Storage for compliance guides, assessments, and reports.
See attributes(5) for descriptions of the following attributes:
The compliance command is executed against only the current operating system image. If other zones or domains need to be verified, separate invocations of compliance command should be made.
Users may use the following command to determine which version of the solaris benchmark is being used for assessments:
% pkg info solaris-policy
Use of the svccfg command to modify the svc:/application/security/compliance:default policy property group is discouraged. Such changes are not semantically validated and hence may result in failure to conduct later assessments.