compliance-tailor - Administer compliance tailorings
compliance tailor [-t tailoring]
compliance tailor [-t tailoring] subcommand
compliance tailor [-t tailoring] -f command_file
compliance tailor help
The compliance tailor utility creates, modifies, and lists tailorings. The creation and modification functions are only available to authorized users and require that the process is executed with elevated privilege. Otherwise it runs in read-only mode.
A tailoring adjusts the set of rules from a benchmark applied when assessing against the tailoring.
The following synopsis of the compliance tailor command is for interactive usage:
compliance tailor –t tailoring subcommand
Parameters changed through compliance tailor do not affect a running assessment.
A benchmark is composed of profiles, groups, rules, and values. A rule defines specific checks to be made during an assessment. A value specifies a parameter which a rule can use in making a check. A group can contain rules, values, or other groups. A profile selects which of the rules or groups of rules are to be included or excluded in an assessment and/or the selection of values. A tailoring provides a means of expressing a new profile for a benchmark without altering the benchmark.
The user must have all zone privileges and the solaris.compliance.assess authorization to update the tailoring store. A user assigned the Compliance Assessor rights profile has the rights to create, modify, and delete tailorings.
A tailoring has several properties. The supported properties are; tailoring, benchmark, profile.
As for the property values that are paired with these names, they are simple strings terminated by white-space.
The tailoring property is the name of the tailoring. The benchmark property identifies which benchmark the rules are from. The profile property, if set, identifies which profile defined in the benchmark the tailoring profile is to be based on, expressing inclusion or exclusion of a few rules for which it differs from the base profile. Otherwise, the tailoring profile must have its own specification for inclusion or exclusion of all of the rules of the benchmark.
The following options are supported:
Specify the name of a tailoring command file. The command_file is a text file of tailoring subcommands, one per line. If the script does not cause the command invocation to terminate due to a delete or exit subcommand, the command will default to interactive operation at the end of the script.
Specify the name of a tailoring. Tailoring names are case sensitive. Tailoring names can contain alphanumeric characters, the underscore (_), the hyphen (-), and the dot (.). Installed tailoring names also contain a single slash (/).
compliance tailor supports a semicolon-separated list of subcommands.
Subcommands which can result in destructive actions or loss of work have an –F option to force the action. If the input is from a terminal device, the user is prompted when appropriate, if such a command is given without the –F option. If such a command is given without the –F option, the action is disallowed, with a diagnostic message written to standard error.
The following subcommands are supported:
Clear the value for the property.
Commit the current tailoring from memory to stable storage. The tailoring must be committed to be used by compliance assess. The commit operation is attempted automatically upon completion of a compliance tailor session.
Delete the specified tailoring from memory and stable storage. This action is instantaneous, no commit is necessary.
Specify the –F option to force the action.
Exclude the specified item from being checked in assessments. Use the –a option to exclude all rules defined by the benchmark.
Exit the compliance tailor session. A commit is automatically attempted if needed. The –F option can be used to bypass any commit. You can also use an EOF character to exit compliance tailor.
Print the current tailoring to standard output. Use the –o option to direct the output to output-file. This subcommand by default produces output in a form suitable for use with the compliance tailor –f option.
The –x option selects an xml format suitable for installation. This option provides only the content for an installed tailoring. For instance, a tailoring tname on the benchmark bname should be installed in the file /usr/lib/compliance/benchmarks/bname/tailorings/tname.xccdf.xml, but the creation of a suitable pkg manifest and publication of the package are not directly supported by compliance tailor.
Print general help or help about given topic.
Include the specified item among the rules to be checked in assessments.
Display information about the tailoring.
List the names of committed and installed tailorings. These names are valid as the parameter value of the –t option for both compliance assess and compliance tailor.
Load the specified tailoring into memory from stable storage. If there is an uncommitted tailoring in memory, confirmation is sought before it is discarded.
Specify the –F option to force the action.
Present a picking screen. By default, this is the group, rule, and value pick screen. If the –p option is given or the benchmark property is not yet set, the property pick screen described below will be presented.
On the group, rule, and value pick screen, each group or rule item is displayed as a line of text, including the item identifier and title. An exclusion is represented by the letter ’x’ appearing to the left of the item. A rule is checked in an assessment if it has no exclusion. A ’>’ character in reverse at the far left highlights rules to be checked.
On the group, rule, and value pick screen, a value item is displayed as two lines of text, the first containing the item identifier and title, and the second the value selections. A ’+’ character on the left marks the effective selection. The rightmost selection may be a entry selection (indicated by underlines). Selection of the entry selection results in a prompt for user entry of the parameter. If the entered text is within the range of the value, it is made the value selection.
The cursor on the pick screen indicates which item is active. The pick screen is manipulated through the command keys.
Terminate the pick screen, return to interactive subcommands
Display help information
Move the cursor down to the next item
Move the cursor up to the previous item
Move the cursor left to the previous selection
Move the cursor right to the next selection
Pick the active item or toggle between include and exclude
Include the active item or make the selection effective
Exclude the active item
Search forward for an item identifier or title
Search backward for an item identifier or title
The property pick screen presents all valid combinations of benchmark and profile on which a tailoring can be made on the system. One of these combinations can be selected through this screen, using the same command keys from the table above.
Set a given property name to the given value.
Since the list of rules and the default selection of those rules is dependent on the benchmark and profile properties, all exclusions and inclusions are reset whenever either of those properties is set.
The tailoring property cannot be set to that of an installed tailoring.
Make a selection of the value with the specified identifier.
The value must be in the range of the identifier.
Display the values associated with the underlying benchmark, and the tailoring’s selection for each.
If the –v option is specified, the range of each value is also printed.
In the following example, compliance tailor creates a new tailoring. The new tailoring, twomore, is based on the solaris Baseline profile, and enables two of the Recommended profile tests.
example# compliance tailor -t twomore tailoring: No existing tailoring: ’twomore’, initializing tailoring:twomore> set benchmark=solaris tailoring:twomore> set profile=Baseline tailoring:twomore> include OSC-47501 tailoring:twomore> include OSC-49501 tailoring:twomore> export set tailoring=twomore # version=2014-11-29T04:16:39.000+00:00 set benchmark=solaris set profile=Baseline # Passwords require at least one digit include OSC-47501 # Passwords require at least one uppercase character include OSC-49501 tailoring:mytailor> exitExample 2 Deriving a New Tailoring from an Existing Tailoring
In the following example, compliance tailor creates a new tailoring. The new tailoring, twominusone, is derived from the existing tailoring twomore.
example# compliance tailor -t twomore tailoring:twomore> set tailoring=twominusone tailoring:twominusone> exclude OSC-45000 tailoring:twominusone> export set tailoring=twominusone # version=2014-11-29T04:48:32.000+00:00 set benchmark=solaris set profile=Baseline # Passwords allow repeat characters exclude OSC-45000 # Passwords require at least one digit include OSC-47501 # Passwords require at least one uppercase character include OSC-49501 tailoring:mytailor> exitExample 3 Changing the Name of a Tailoring
The following example shows how to change the name of an existing tailoring.
example# compliance tailor -t mytailoring tailoring:mytailoring> set tailoring=mytailoring2 tailoring:mytailoring2> commit tailoring:mytailoring2> set tailoring=mytailoring tailoring:mytailoring> deleteExample 4 Creating a Tailoring to Run a Single Rule
The following example shows how to create a tailoring to evaluate a single rule.
example# compliance tailor -t root-role tailoring:root-role> set benchmark=solaris tailoring:root-role> exclude -a tailoring:root-role> include OSC-59000 set benchmark=solaris exclude -a # root is a role include OSC-59000 tailoring:root-role> exit example# compliance assess -t root-role Assessment will be named ’root-role.2014-11-28,22:40’ Title root is a role Rule OSC-59000 Result passExample 5 Listing Committed and Installed Tailorings
The following example shows how to list the committed and installed tailorings on the system.
example# compliance tailor list mytailoring2 root-role twominusone twomore pci-dss/webserver solaris/nfs-client solaris/nfs-serverExample 6 Listing and Adjusting Values
The following example shows how to list the values in the benchmark and changing a parameter.
example# compliance tailor -t demo tailoring:demo> values OSCV-37500 (NFS client service): disabled OSCV-46000 (Minimum password length): 14 OSCV-47000 (Minimum password character difference): 3 OSCV-48000 (Minimum password lower-case characters): 0 OSCV-49000 (Minimum password special): 0 tailoring:demo> value OSC-46000=12
The corresponding value entry on the pick screen would appear:
> _ OSC-46000 Passwords must be at least 14 characters long Value OSCV-46000 Minimum password length _ 6 _ 8 + 14 _ ___ 6 <= _value_ <= 255? 12
The following exit values are returned:
An error occurred.
See attributes(7) for descriptions of the following attributes:
All character data used by compliance tailor must be in US-ASCII encoding.
For tailorings based on existing profiles, the export form represents the differences between the base profile and the tailored profile. If there is no base profile (no profile property is set), the export form commences with an "exclude -a" subcommand so that the remainder of the export file is an affirmative list of the rules to be checked in an assessment; if the objective of the tailoring is to run only a few tests, this can simplify verification of the tailoring.