1. Oracle Solaris 11.4 Compliance Guide
  2. Reporting Compliance to Security Standards
  3. Creating Tailorings From Compliance Benchmarks
  4. How to Create a Tailoring From a Compliance Benchmark

How to Create a Tailoring From a Compliance Benchmark

You must be assigned the Compliance Assessor rights profile to create a tailoring that can be added to the system store. For more information, see Rights to Run Compliance Assessments and Reports and Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Open the compliance editor.

    The following command sets options on the command line and opens the pick screen.

    $ pfexec compliance tailor -t basic
*** compliance tailor: Can't get existing tailor "basic", initializing
tailoring:basic> set benchmark=solaris
tailoring:basic> exclude -a
tailoring:basic> pick

    where:

    • basic is the name of the tailoring

    • solaris is the source benchmark

    • exclude -a loads the solaris benchmark with none of the rules included

    • pick opens the pick screen

    The pick screen displays all of the rules in the solaris benchmark. None of them are included.

  2. On the pick screen, use the keyboard to include particular rules, exclude rules, and navigate.

    • The spacebar toggles between including and excluding an entry.

    • An x indicates an excluded rule.

    • A greater-than symbol (>) in reverse video indicates an included rule. No x is a second indication that the rule is included.

    • An exit or ESC returns you to the compliance tailor command line in interactive mode.

  3. Include a few basic rules.

    For example, you might include the rules OSC-53005, OSC-16005, OSC-35000, OSC-46000, OSC-01511, OSC-04511, and OSC-75511.

  4. Display the contents of the tailoring.
    tailoring:basic> export
set tailoring=basic
# version=2016-09-07T22:07:02.000+00:00
set benchmark=solaris
exclude -a
# OSC-53005: The OS version is current
include OSC-53005
# OSC-16005: All local filesystems are ZFS
include OSC-16005
# OSC-35000: /etc/motd and /etc/issue contain appropriate policy text
include OSC-35000
# OSC-46000: Passwords must be at least 8 characters long
include OSC-46000
# OSC-01511: Address Space Layout Randomization (ASLR) is enabled
include OSC-01511
# OSC-04511: Booting the system should require a password
include OSC-04511
# OSC-75511: Stacks are non-executable
include OSC-75511
tailoring:basic>

    Tailorings that you create with the compliance tailor declare the benchmark and profile inside them.

  5. Commit your changes then exit the command-line interface.
    tailoring:basic> commit
tailoring:basic> exit
#
  6. Test the tailoring and evaluate the output.
    $ pfexec compliance assess -t basic
Assessment will be named 'basic.2016-09-07,07:07'
Title   The OS version is correct
Rule    OSC-53005
Result  pass
...
Title   Stacks are non-executable
Rule    OSC-75511
Result  pass
  7. Display the assessment report in a browser.
    1. Locate the assessment.
      # compliance report
/var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html
    2. Load the assessment into the browser.

      The following example shows a sample browser entry:

      file:///var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html

Example 1-3 Loading a Different Tailoring

In this example, the administrator loads tailorings that are stored but not in current use.

$ pfexec compliance tailor
tailoring>list
basic
firsttest
testg
tailoring>load firsttest
tailoring:firsttest>info
    tailoring=firsttest
    benchmark=solaris
    profile: not set
tailoring:firsttest>load testg
tailoring:testg>