How to Create a Package Manifest for a Tailoring
After testing your new tailoring thoroughly, you can create an IPS package to install the new rules file. The package manifest is an early step in package creation. For the steps in creating a package, see Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4.
Example 1-6 Creating a Package Manifest for a Compliance Package for Oracle Solaris NFS Clients
This example shows how to create a package manifest for a tailoring for NFS clients. The source name of the rules selection file is solaris-Baseline-nfs-client.exportx.xml
. Its installed version is nfs-client.xccdf.xml
. The tailoring is based on the Baseline
profile of the solaris
benchmark, so the package is dependent on the solaris-policy
package.
-
Export the tailoring and quit the editor.
$ pfexec compliance tailor -t solaris-Baseline-nfs-client tailoring:solaris-Baseline-nfs-client> export -x -o sB-nfs-client.exportx.xml tailoring:solaris-Baseline-nfs-client> exit
-
Create a manifest with the package name and fill out the manifest.
$ pfedit /home/ooyl/packages/tailorings/solaris-Baseline-nfs-client.p5m
set name=pkg.fmri value=pkg://corporate-IT/security/compliance/tailorings/ solaris-Baseline-nfs-client@1.0 set name=pkg.summary value="An NFS client tailoring for Solaris Baseline systems." set name=pkg.description value="This NFS tailoring is an adjunct to the solaris.Baseline profile. Assess all NFS client systems with this nfs-client tailoring." file ./sB-nfs-client.exportx.xml group=sys mode=0555 owner=root path=usr/lib/compliance/benchmarks/solaris/tailorings/nfs-client.xccdf.xml depend fmri=pkg:/security/compliance/benchmark/solaris-policy type=require
Note:
A tailoring that is installed as a package is stored in the/usr/lib/compliance/benchmarks/
name/tailorings
directory.
Example 1-7 Creating Assessments and Reports From Tailorings
In this example, an administrator has installed two tailoring packages and has a tailoring testing file. solaris/
indicates that the installed tailoring packages are based on the solaris
benchmark.
$ compliance tailor list
solaris/basic
solaris/RKerberos
testBaselinePlus
The Compliance Assessor administrator runs the installed tailorings assessments and views the results in a browser.
-
The administrator runs assessments for both tailorings.
$ pfexec compliance assess -t solaris/basic Assessment will be named "basic.2015-11-11,10:10" Title The OS version is correct Rule OSC-53005 Result pass ... % compliance report /var/share/compliance/assessments/12341111-1111-1111-1111-12345678abcd/report.html
$ pfexec compliance assess -t solaris/RKerberos Assessment will be named "RKerberos.2015-11-11,10:20" ... Title Service svc:/network/rpc/gss is enabled Rule OSC-62511 Result pass ... $ compliance report /var/share/compliance/assessments/abcd1111-1111-1111-1111-12345678abcd/report.html
-
The administrator views the reports by typing the following entries in a browser.
file:///var/share/compliance/assessments/12341111-1111-1111-1111-12345678abcd/report.html file:///var/share/compliance/assessments/abcd1111-1111-1111-1111-12345678abcd/report.html
Next Steps
To complete the testing and delivery of this package, see Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4. You should sign your tailoring packages. The packaging utility includes other attributes, such as facets, that you might want to use in the package manifest.