How to Export a Tailoring
Exporting a tailoring lets you examine it for completeness. The export file contains comments that describe the rules that are included and excluded. You can use this file to import the tailoring on a different system for further testing. The directory to which you export the tailoring must be writable by you.
You can also use the export
command to create a file for an IPS package of your tailoring. See How to Create a Package Manifest for a Tailoring.
Example 1-5 Creating a Kerberos Tailoring From the Recommended
Profile
In this example, the administrator creates a tailoring that includes Kerberos compliance rules. The administrator sets the source benchmark and profile and creates a tailoring from the profile plus rules that apply to Kerberos. The export
command shows the effects of the rule inclusions and exclusions.
$ pfexec compliance tailor -t RKerberos tailoring:RKerberos>set benchmark=solaris tailoring:RKerberos>set profile=Recommended tailoring:RKerberos>exclude OSC-28010 tailoring:RKerberos>exclude OSC-30510 tailoring:RKerberos>exclude OSC-31010 tailoring:RKerberos>exclude OSC-31510 tailoring:RKerberos>exclude OSC-63005 tailoring:RKerberos>include OSC-02511 tailoring:RKerberos>commit tailoring:RKerberos>export set tailoring=RKerberos # version=2016-06-14T21:29:32.000+00:00 set benchmark=solaris set profile=Recommended # OSC-28010: Service svc:/network/security/kadmin:default is in disabled state exclude OSC-28010 # OSC-30510: Service svc:/network/security/krb5_prop:default is in disabled state exclude OSC-30510 # OSC-31010: Service svc:/network/security/krb5kdc:default is in disabled state exclude OSC-31010 # OSC-31510: Service svc:/network/shell:kshell is disabled or not installed exclude OSC-31510 # OSC-63005: Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured exclude OSC-63005 # OSC-02511: The auditd(8) daemon is enabled include OSC-02511