compliance - Administer security compliance tests
compliance [subcommand subcommand_options ...]
The compliance command administers security compliance policies.
The compliance command produces security guides, assessments, and reports using benchmarks and profiles. A guide is a document describing the policy of a benchmark and the tests made to ensure compliance to that policy. An assessment is an evaluation of the security configuration of a system, conducted against a benchmark. A benchmark is a programmatically-interpretable specification of acceptable ranges of the security parameters of a system. A profile selects which tests from a benchmark are to be evaluated in an assessment; a set of profiles is specified as part of the benchmark. A tailoring specifies a profile externally to a benchmark. A report is a form of the results of conducting an assessment.
The command has thirteen subcommands: assess, delete, explain, get-options, get-policy, guide, list, report, roster, setoptions, set-policy, store, and tailor.
The assess subcommand tests the current system configuration against a benchmark and creates a results repository.
The –a option can be used to specify the name of the assessment repository. If this is not specified the value defaults to one based on the parameters of the assessment and when it was conducted.
The –b option can be used to specify the benchmark. The benchmark argument must be an installed named benchmark.
The –m option can be used to associate user-specified match data with the assessment. The matches parameter is a comma-separated list of keys or key=value pairs. For more information, see the Match Parameters section below.
The –N option specifies that the assessment will be conducted on the remote node using the node-URI parameter (see URI operands below). In this case, the assess subcommand does not return until after the assessment has completed or failed on the remote system.
The assessment can be limited to the named profile by the use of the –p option. If the –p option is not specified, the value defaults to the first profile, if any, defined by the benchmark.
The –r option can be used to assess a group of remote systems listed in a roster. The –r option can only be used with –a and –s options as all other parameters used to assess each remote system can be specified in a roster. For more information, see the compliance-roster(8) man page. When the –r is used, the assess subcommand returns after initiating the assessment on each remote system in the roster, without waiting for the assessments to complete on the remote systems. Use list -av to check the status of the assessments (see the list subcommand below).
The –s option specifies that upon completion, the assessment should be transferred to a remote assessment store by using the store-URI parameter. For more information, see the Store URIs section below. After a successful transfer, any interim copy of the assessment in the local assessment store will be automatically deleted.
The –t option specifies that the assessment should be against the specified tailoring. If the –b option is specified, an installed tailoring is assumed as if the tailoring operand alone were benchmark/tailoring. Since the profile is implicitly specified by the tailoring, the –p option cannot be used in conjunction with the –t option.
If none of the –b, –p, and –t options are specified, the benchmark, profile, and tailoring are taken from the default policy. For more information, see the set-policy subcommand.
If any of the –a, –m, and –s options is not specified, the corresponding parameter is taken from the default options. For more information, see the set-options subcommand. An explicit use of any of these options with an empty parameter ("") has the same effect as if the corresponding default parameter was not set.
When neither –N nor –r option is specified, the assessment is conducted on the local system. In this case, the assess subcommand does not return until after the assessment has completed or failed on the local system.
The user must have all zone privileges and the solaris.compliance.assess authorization to conduct assessments. A user assigned the Compliance Assessor rights profile has the rights to conduct assessments.
The assess subcommand also produces statistics of the assessment and uploads them to a local statistics store. The statistics can be viewed by authorized users using the sstore command. A user assigned the Compliance Assessor rights profile has the rights to upload the statistics. A user assigned the Compliance Reporter rights profile has the rights to collect and view the assessment statistics. For more information, see the sstore(1) man page.
The following classes of statistics are produced:
//:class.app/solaris/compliance/assessment //:class.app/solaris/compliance/rule
The delete subcommand removes the results repository for the specified assessment, including all associated reports.
The –m option can be used to select those assessments which match the matches expression for deletion. For more information, see the Match Parameters section below.
The –N option specifies that the deletion takes place on the remote node using the node-URI parameter (see URI operands below).
The –n option lists which assessments would be deleted, but suppresses the actual deletion operation.
The –v option lists assessments being deleted.
The explain subcommand lists rules for the default system policy benchmark or the benchmark supplied with the –b option when no arguments are supplied.
When one or more arguments are supplied, descriptions of the named compliance rules are emitted. If no rules match the supplied arguments, a case-insensitive search for the supplied arguments is performed and a description of any matching compliance rules is emitted.
The –H option specifies that the column header should not be emitted when listing compliance rules.
The –b option specifies that compliance rules are limited to the benchmark parameter. If no –b option is supplied, the default system policy benchmark is used. See 'get-policy' below.
The –t option specifies that values in the specified tailoring should be used in rules and titles emitted, where necessary.
The –N option specifies that explanations are shown for the compliance rules on the remote node using the node-URI parameter (see URI operands below).
The 'all' keyword specifies that descriptions for all compliance rules for this benchmark should be emitted.
A description of the named rule identifier is emitted. If no rule identifiers match, a case-insensitive search is performed on the descriptions for tests in the –b benchmark and only matching test descriptions are emitted.
The get-options subcommand displays the default assessment options. For more information, see the set-options subcommand.
The –N option specifies displaying default assessment options on the remote node using the node-URI parameter (see URI operands below).
The get-policy subcommand displays the default assessment policy. For more information, see the set-policy subcommand.
The –N option specifies displaying default assessment options on the remote node using the node-URI parameter (see URI operands below).
The –guide subcommand provides the location of documentation describing the compliance requirements for a given benchmark in html format, generating if necessary the specific guide or guides for all installed benchmarks.
If the –a option is specified, guides are generated for all installed benchmarks and associated profiles.
In the case of an individual guide, the –b option can be used to specify the benchmark. The benchmark argument must be an installed named benchmark, and if not specified the value defaults to solaris.
If the –o option is specified, the guide is located at pathname.
The guide can be tailored to the named profile by the use of the –p option. If this option is not specified, the guide covers all profiles defined by the benchmark.
If the –o option is not specified or the –a option is specified, guides are located in the compliance guide storage. A user assigned either the Compliance Reporter or Compliance Assessor rights profile has the rights to generate such guides.
The list subcommand lists information about various compliance objects, such as, installed benchmarks, conducted assessments, tailorings, and rosters. By default, the benchmarks and assessments are listed one per line.
If the –a option and one or more assessment parameters are present, the information is restricted to the matching assessments.
If the –b option and one or more benchmark parameters are present, the information is restricted to the matching benchmarks.
The –m option can be used to select only those assessments which match the matches expression to be listed. For more information, see the Match Parameters section below.
The –N option can be used to list objects on the remote node using the node-URI parameter (see URI operands below).
If the –p option is specified, the profiles for each benchmark are listed.
If the –r option is specified, the rosters are listed.
If the –t option is specified, the tailorings are listed.
If the –v option is specified, additional descriptive information about each of the objects is included in the output.
The report subcommand provides the location of a report in the desired format for an assessment, generating the required format report if necessary.
The –a option can be used to specify the name of the assessment repository. If it is not specified, then the value defaults to the most recently conducted assessment.
The format of the compliance report can be selected by the –f option. Format options include log, xccdf, html, and summary. A log format report is a simple text listing of the results of an individual assessment. An xccdf format report is the XML-formatted results of an assessment, intended for programmatic processing. An html report provides an html-format description of the results of a particular assessment, including remediation information for failing tests. A summary report provides html-format overall information and links to the individual assessment reports in the various formats. If the invocation includes more than one assessment, only the summary format can be provided. The default format is html if the invocation covers a single assessment, or summary if the invocation includes more than one assessment.
The –m option can be used to select those assessments which match the matches expression for inclusion in the report. For more information see the Match Parameters section below.
If the –o option is not specified, the report is located in the assessment storage. A user assigned either the Compliance Reporter or Compliance Assessor rights profile has the rights to generate such reports. If the –o option is specified, the report is located at pathname.
The roster subcommand allows the user to create, view, edit, and manage tailorings. For more information, see the compliance-roster(8) man page.
The set-options subcommand modifies the default assessment options. The default options are used as the default parameters of the assess subcommand and for the scheduled assessment service. Each of the default assessment, matches, and store-URI parameters can be independently set.
The –a option specifies the default assessment name. The assessment option value can be empty ("") to indicate there is no default assessment name.
The –m option specifies the default matches parameter. The matches option value can be empty ("") to indicate there is no default matches parameter.
The –N option can be used to modify default assessment options on the remote node using the node-URI parameter (see URI operands below).
The –s option specifies the default store-URI parameter. The store-URI option value can be empty ("") to indicate there is no default store-URI parameter.
The user must have the solaris.compliance.assess authorization to set the default options; a user assigned the Compliance Assessor rights profile has such rights.
The set-policy subcommand modifies the default assessment policy. The default policy is used as the default parameters of the assess subcommand and for the scheduled assessment service. At least one of the –b and –t options must be specified.
The –b option specifies the default benchmark.
The –p option specifies the default profile. The –p option requires that the –b option also be specified. The –p option cannot be used with the –t option.
The –N option can be used to modify default assessment policies on the remote node using the node-URI parameter (see URI operands below).
The –t option specifies the default tailoring.
The user must have the solaris.compliance.assess authorization to set the default policy. A user assigned the Compliance Assessor rights profile has such rights.
The store subcommand copies the specified assessments, including all associated reports to a remote assessment store, by using the specified store-URI. For more information, see the Store URIs section below. If the –s option is not specified, the default store-URI is used. The original assessments remain in the local assessment store.
The –m option can be used to select those assessments which match the matches expression for copying. For more information, see the Match Parameters section below.
The –n option lists which assessments would be stored, but suppresses the actual store operation.
The –v option lists the assessments being stored.
The tailor subcommand allows the user to create, view, edit, and manage tailorings. For more information, see the compliance-tailor(8) for more details.
Each assessment has associated match keys. These include both system-defined keys and user-specified keys. A key can have an optional assigned value. The keys associated with assessments can be seen with the list -av subcommand.
System-defined keys always begin with an uppercase letter. The system-defined keys and the definitions of their values are listed below:
The hardware architecture of the platform on which the assessment was run (the same value as "uname -i").
The benchmark defining the rules and values for this assessment. This key is present whether the benchmark was explicitly or implicitly specified.
Assessments created under legacy versions of the compliance command are automatically assigned a UUID key and value and other match keys and values derived from the existing data. The resulting match data is a best effort result. Some system keys will be missing and the Tailoring value will be inaccurate for assessments conducted from installed tailorings. Only such derived assessment match data includes the Legacy key. The value of the Legacy key will be Derived if there was an xccdf results file for the assessment or Empty otherwise.
The name associated with the assessment when the assess subcommand was invoked. Note that multiples assessments can share the same Name.
The name of the system on which the assessment was run.
The Common Platform Enumeration of the platform on which the assessment was run, specific to the operating system version.
The profile selecting the rules and values for this assessment. This key is not defined if a tailoring was used for this assessment.
The status of this assessment. Possible values include Completed, Initiated, and Uninitialized.
The tailoring selecting the rules and values for this assessment. This key is present only if a tailoring was used for this assessment.
Initially, this is the time when the assess command was invoked. When the assessment is completed, this is updated to the time the assessment completed. The value of the key has the format YYYY-MM-DDTHH-mm-SS.
A unique identifier associated with each assessment. For assessments created by earlier versions of compliance, this could be the same as the Name key value.
When the assess subcommand is invoked, the user may specify additional comma-separated keys or key=value pairs to be associated with the assessment. User-specified keys must begin with a lowercase letter.
When the delete, list, and report subcommands are invoked, the user may specify a match expression to select which assessments are to be processed by the command. A match expression is a boolean expression over the following primitives.
True if the assessment has the associated key (whether or not key has a value), false otherwise.
True if the assessment does not have the associated key, false otherwise.
True if the assessment has the associated key with the value value, false otherwise.
True if the assessment has the associated key not with the value value, false otherwise.
True if the assessment has the associated key with a value less than value, false otherwise. The values are compared as strings, so that 2014-12-31T23:59:59<2015 evaluates true.
True if the assessment has the associated key with a value greater than value, false otherwise. The values are compared as strings, so that 2015-01-01T00:00:00>2015 evaluates true.
Has the same evaluation as the enclosed expression.
The match expression boolean operations are:
True if both operand1 and operand2 evaluate to true, false otherwise.
True if either operand1 or operand2 evaluates to true, false otherwise.
Note that many of the operators in match expressions are used as shell metacharacters, so they must be properly quoted or escaped to avoid being interpreted by the shell.
Access to a remote assessment store is conducted using a store-URI. The store-URI is interpreted as a RAD URI. For more information see the rad(8) man page. The value can be expressed as a nodename (for example, the output of hostname command, an IP address, or a fully-qualified domain name) in which case it will be coerced to the RAD URI form. The scheme defaults to ssh, user defaults to the current user, and port defaults to the standard RAD port. Note that the store-URI specified must not require interactive authentication, for example, a password prompt.
The SMF service instance svc:/application/security/compliance:default can be used to automate scheduled assessments. The assessment parameters are taken from the default options and policy. For more information see the set options and set-policy subcommands. The default instance is offline by default. For information on the scheduling parameters, see the svc.periodicd(8) man page.
The SMF service instance svc:/application/security/compliance:generate-guide is used to automate generation of guide files in the compliance guide storage. The generate-guide instance is online by default. Guide files are generated during package/system installation if the FMRI is specified as an restart_fmri actuator. Based on the newness of the installed files, guides are (re)generated only as necessary.
The following exit values are returned:
Successful completion.
Usage error.
The assess subcommand may return this value indicating success of the subcommand but noncompliance of the assessed system.
Program failure.
The compliance command is delivered with a vendor-defined benchmark named solaris. The profiles of this benchmark are specified as thresholds, so that systems with more secure settings of individual configuration parameters can pass the profile. The solaris benchmark includes a Baseline profile corresponding to the default security configuration settings of a freshly-installed Oracle Solaris instance, and a Recommended profile corresponding to the vendor-recommended configuration for those systems where compatibility with prior versions of Oracle Solaris is not a constraint.
The following example shows how to display the installed named benchmarks on the system:
% compliance list -bv
pci-dss
PCI-DSS Security/Compliance benchmark for Oracle Solaris
solaris
Oracle Solaris Security Policy
Example 2 Displaying the Profiles for the Solaris Benchmark
The following example shows how to display the profiles for the solaris benchmark:
% compliance list -bp solaris solaris: Baseline RecommendedExample 3 Assessing of the System by Using the Recommended Profile for the Solaris Benchmark
The following example shows how to take an assessment of the system using the Recommended profile for the solaris benchmark, associating the match keys demo and example=3 and store the results in the CHECK repository:
% compliance assess -p Recommended -b solaris -a CHECK \
-m demo,example=3 -N ssh://example@host.example.com
Example 4 Listing Assessments and Keys
The following example shows how to list all assessments, displaying associated keys.
% compliance list -av CHECK UUID: 657fd530-6c58-11e5-8f4c-8003baa8d665 Benchmark=solaris Profile=Recommended Status=Completed Node=lymph Platform=cpe:/o:oracle:solaris:11 Architecture=i86pc Timestamp=2015-10-31T18:19:20 Username=root UserID=0 demo example=3Example 5 Generating a Report Which Includes All Assessments with the demo key
The following example shows how to generate a summary report including all of the assessments which have the demo key associated with them.
% compliance report -m demo -f summary /var/share/compliance/assessments/657fd530-6c58-11e5-8f4c-8003baa8d665/summary.htmlExample 6 Examining and Configuring Scheduled Assessments
The following example shows how to examine and configure scheduled assessments.
# view the current schedule % svccfg -s compliance:default listprop scheduled # view when last run and next to be run % svcs -o state,lrun,nrun,astate,fmri compliance:default # configure the scheduled assessment to run every Sunday at 1am % svccfg -s compliance:default setprop scheduled/interval = week % svccfg -s compliance:default setprop scheduled/day = astring: Sunday % svccfg -s compliance:default setprop scheduled/hour = integer: 1Example 7 Generating a Report Which Includes the Items of the notselected Result Type
The following example shows how to generate a report which includes the items of the notselected result type, but suppress the informational result type:
% compliance report -s notselected,-informational -a CHECK /var/share/compliance/assessments/CHECK/report.-informational,notselected.html
Directory of compliance programs, data, and test benchmarks.
Directory of packaged compliance benchmarks.
Storage for compliance guides, rosters, assessments, and reports.
See attributes(7) for descriptions of the following attributes:
|
attributes(7), compliance-tailor(8), compliance-roster(8), oscap(8), rad(8), svc.periodicd(8), svccfg(8), svcs(1), uname(1)
Oracle Solaris 11.4 Compliance Guide
Oracle Solaris 11.4 Security and Hardening Guidelines
The compliance command is executed against only the current operating system image. If other zones or domains need to be verified, separate invocations of compliance command should be made.
Users may use the following command to determine which version of the solaris benchmark is being used for assessments:
% pkg info solaris-policy
Use of the svccfg command to modify the svc:/application/security/compliance:default options or policy property groups is discouraged. Such changes are not semantically validated and hence may result in failure to conduct later assessments.