Go to main content

man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2017

compliance-tailor (1M)


compliance-tailor - Administer compliance tailorings


compliance tailor [-t tailoring]
compliance tailor [-t tailoring] subcommand
compliance tailor [-t tailoring] -f command_file
compliance tailor help


The compliance tailor utility creates, modifies, and lists tailorings. The creation and modification functions are only available to authorized users and require that the process is executed with elevated privilege. Otherwise it runs in read-only mode.

A tailoring adjusts the set of rules from a benchmark applied when assessing against the tailoring.

The following synopsis of the compliance tailor command is for interactive usage:

compliance tailor –t tailoring subcommand

Parameters changed through compliance tailor do not affect a running assessment.


A benchmark is composed of profiles, groups, rules, and values. A rule defines specific checks to be made during an assessment. A value specifies a parameter which a rule can use in making a check. A group can contain rules, values, or other groups. A profile selects which of the rules or groups of rules are to be included or excluded in an assessment and/or the selection of values. A tailoring provides a means of expressing a new profile for a benchmark without altering the benchmark.

The user must have all zone privileges and the solaris.compliance.assess authorization to update the tailoring store. A user assigned the Compliance Assessor rights profile has the rights to create, modify, and delete tailorings.


A tailoring has several properties. The supported properties are; tailoring, benchmark, profile.

As for the property values that are paired with these names, they are simple strings terminated by white-space.

The tailoring property is the name of the tailoring. The benchmark property identifies which benchmark the rules are from. The profile property, if set, identifies which profile defined in the benchmark the tailoring profile is to be based on, expressing inclusion or exclusion of a few rules for which it differs from the base profile. Otherwise, the tailoring profile must have its own specification for inclusion or exclusion of all of the rules of the benchmark.


The following options are supported:

–f command_file

Specify the name of a tailoring command file. The command_file is a text file of tailoring subcommands, one per line. If the script does not cause the command invocation to terminate due to a delete or exit subcommand, the command will default to interactive operation at the end of the script.

–t tailoring

Specify the name of a tailoring. Tailoring names are case sensitive. Tailoring names can contain alphanumeric characters, the underscore (_), the hyphen (-), and the dot (.). Installed tailoring names also contain a single slash (/).

Sub Commands

compliance tailor supports a semicolon-separated list of subcommands.

Subcommands which can result in destructive actions or loss of work have an –F option to force the action. If the input is from a terminal device, the user is prompted when appropriate, if such a command is given without the –F option. If such a command is given without the –F option, the action is disallowed, with a diagnostic message written to standard error.

The following subcommands are supported:

clear [–F] property-name

Clear the value for the property.


Commit the current tailoring from memory to stable storage. The tailoring must be committed to be used by compliance assess. The commit operation is attempted automatically upon completion of a compliance tailor session.

delete [–F]

Delete the specified tailoring from memory and stable storage. This action is instantaneous, no commit is necessary.

Specify the –F option to force the action.

exclude [–a] item

Exclude the specified item from being checked in assessments. Use the –a option to exclude all rules defined by the benchmark.

exit [–F]

Exit the compliance tailor session. A commit is automatically attempted if needed. The –F option can be used to bypass any commit. You can also use an EOF character to exit compliance tailor.

export [–x] [–o output-file]

Print the current tailoring to standard output. Use the –o option to direct the output to output-file. This subcommand by default produces output in a form suitable for use with the compliance tailor –f option.

The –x option selects an xml format suitable for installation. This option provides only the content for an installed tailoring. For instance, a tailoring tname on the benchmark bname should be installed in the file /usr/lib/compliance/benchmarks/bname/tailorings/tname.xccdf.xml, but the creation of a suitable pkg manifest and publication of the package are not directly supported by compliance tailor.

help [subcommand]

Print general help or help about given topic.

include item

Include the specified item among the rules to be checked in assessments.


Display information about the tailoring.


List the names of committed and installed tailorings. These names are valid as the parameter value of the –t option for both compliance assess and compliance tailor.

load [–F] tailoring

Load the specified tailoring into memory from stable storage. If there is an uncommitted tailoring in memory, confirmation is sought before it is discarded.

Specify the –F option to force the action.

pick [–p]

Present a picking screen. By default, this is the group, rule, and value pick screen. If the –p option is given or the benchmark property is not yet set, the property pick screen described below will be presented.

On the group, rule, and value pick screen, each group or rule item is displayed as a line of text, including the item identifier and title. An exclusion is represented by the letter ’x’ appearing to the left of the item. A rule is checked in an assessment if it has no exclusion. A ’>’ character in reverse at the far left highlights rules to be checked.

On the group, rule, and value pick screen, a value item is displayed as two lines of text, the first containing the item identifier and title, and the second the value selections. A ’+’ character on the left marks the effective selection. The rightmost selection may be a entry selection (indicated by underlines). Selection of the entry selection results in a prompt for user entry of the parameter. If the entered text is within the range of the value, it is made the value selection.

The cursor on the pick screen indicates which item is active. The pick screen is manipulated through the command keys.

ESC or q

Terminate the pick screen, return to interactive subcommands


Display help information


Move the cursor down to the next item


Move the cursor up to the previous item


Move the cursor left to the previous selection


Move the cursor right to the next selection

SPACE or x

Pick the active item or toggle between include and exclude


Include the active item or make the selection effective


Exclude the active item


Page forward


Page backward


Search forward for an item identifier or title


Search backward for an item identifier or title

The property pick screen presents all valid combinations of benchmark and profile on which a tailoring can be made on the system. One of these combinations can be selected through this screen, using the same command keys from the table above.

set [–F] property-name=property-value

Set a given property name to the given value.

Since the list of rules and the default selection of those rules is dependent on the benchmark and profile properties, all exclusions and inclusions are reset whenever either of those properties is set.

The tailoring property cannot be set to that of an installed tailoring.

value identifier=value

Make a selection of the value with the specified identifier.

The value must be in the range of the identifier.

values [–v]

Display the values associated with the underlying benchmark, and the tailoring’s selection for each.

If the –v option is specified, the range of each value is also printed.


Example 1 Creating a New Tailoring

In the following example, compliance tailor creates a new tailoring. The new tailoring, twomore, is based on the solaris Baseline profile, and enables two of the Recommended profile tests.

example# compliance tailor -t twomore
tailoring: No existing tailoring: ’twomore’, initializing
tailoring:twomore> set benchmark=solaris
tailoring:twomore> set profile=Baseline
tailoring:twomore> include OSC-47501
tailoring:twomore> include OSC-49501
tailoring:twomore> export
set tailoring=twomore
# version=2014-11-29T04:16:39.000+00:00
set benchmark=solaris
set profile=Baseline
# Passwords require at least one digit
include OSC-47501
# Passwords require at least one uppercase character
include OSC-49501
tailoring:mytailor> exit
Example 2 Deriving a New Tailoring from an Existing Tailoring

In the following example, compliance tailor creates a new tailoring. The new tailoring, twominusone, is derived from the existing tailoring twomore.

example# compliance tailor -t twomore
tailoring:twomore> set tailoring=twominusone
tailoring:twominusone> exclude OSC-45000
tailoring:twominusone> export
set tailoring=twominusone
# version=2014-11-29T04:48:32.000+00:00
set benchmark=solaris
set profile=Baseline
# Passwords allow repeat characters
exclude OSC-45000
# Passwords require at least one digit
include OSC-47501
# Passwords require at least one uppercase character
include OSC-49501
tailoring:mytailor> exit
Example 3 Changing the Name of a Tailoring

The following example shows how to change the name of an existing tailoring.

example# compliance tailor -t mytailoring
tailoring:mytailoring> set tailoring=mytailoring2
tailoring:mytailoring2> commit
tailoring:mytailoring2> set tailoring=mytailoring
tailoring:mytailoring> delete
Example 4 Creating a Tailoring to Run a Single Rule

The following example shows how to create a tailoring to evaluate a single rule.

example# compliance tailor -t root-role
tailoring:root-role> set benchmark=solaris
tailoring:root-role> exclude -a
tailoring:root-role> include OSC-59000
set benchmark=solaris
exclude -a
# root is a role
include OSC-59000
tailoring:root-role> exit
example# compliance assess -t root-role
Assessment will be named ’root-role.2014-11-28,22:40’
Title root is a role
Rule OSC-59000
Result pass
Example 5 Listing Committed and Installed Tailorings

The following example shows how to list the committed and installed tailorings on the system.

example# compliance tailor list
Example 6 Listing and Adjusting Values

The following example shows how to list the values in the benchmark and changing a parameter.

example# compliance tailor -t demo
tailoring:demo> values
OSCV-37500 (NFS client service): disabled
OSCV-46000 (Minimum password length): 14
OSCV-47000 (Minimum password character difference): 3
OSCV-48000 (Minimum password lower-case characters): 0
OSCV-49000 (Minimum password special): 0
tailoring:demo> value OSC-46000=12

The corresponding value entry on the pick screen would appear:

> _ OSC-46000 Passwords must be at least 14 characters long
    Value OSCV-46000 Minimum password length
       _ 6 _ 8 + 14 _ ___
6 <= _value_ <= 255? 12

Exit Status

The following exit values are returned:


Successful completion.


An error occurred.


Invalid usage.


See attributes(5) for descriptions of the following attributes:

Interface Stability

See Also



All character data used by compliance tailor must be in US-ASCII encoding.

For tailorings based on existing profiles, the export form represents the differences between the base profile and the tailored profile. If there is no base profile (no profile property is set), the export form commences with an "exclude -a" subcommand so that the remainder of the export file is an affirmative list of the rules to be checked in an assessment; if the objective of the tailoring is to run only a few tests, this can simplify verification of the tailoring.