1. Oracle Solaris 11.4 Compliance Guide
  2. Reporting Compliance to Security Standards
  3. Administering Compliance Assessments and Reports
  4. Running Assessments and Reports
  5. How to Run Assessments and Reports Locally

How to Run Assessments and Reports Locally

You must be assigned the Software Installation rights profile to add packages to the system. You must be assigned administrative rights for most compliance commands, as described in Rights to Run Compliance Assessments and Reports. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

In this procedure, you create assessment reports locally.

  1. Install the compliance package in every zone where you plan to run compliance tests.
    $ pkg install compliance

    The following message indicates that the package is installed:

    No updates necessary for this image.

    For more information, see the pkg(1) man page.

  2. Install the pkg:/solaris/compliance/benchmark/ehc-solaris-policy package in every zone where you plan to run the ehc benchmark.
    $ pkg install benchmark/ehc-solaris-policy
  3. S11.4 commands, output, and explanations different from S11.3List the benchmarks and profiles that are available.
    $ compliance list -vp
    ehc:    Standard
            Oracle Enterprise Health Check (EHC) tests
    pci-dss:        Solaris_PCI-DSS
            PCI-DSS Security/Compliance benchmark for Oracle Solaris
    solaris:        Baseline, Recommended
            Oracle Solaris Security Policy
  4. Create an assessment.
    $ pfexec compliance assess -p profile -b benchmark -a assessment-name
    -p profile

    Indicates the name of the profile. The profile name is case sensitive.

    -b benchmark

    Indicates the name of the benchmark. The benchmark name is case sensitive.

    -a assessment-name

    Optional. Indicates the name of the assessment. The default name includes a time stamp.

    For example, the following command assesses the system using the Recommended profile and creates an assessment directory in the compliance repository for the assessment named recommended. 

    $ pfexec compliance assess -p Recommended -b solaris -a recommended

    After the command completes, the reports are stored in a plain text log file named log, an XML file named results.xccdf.xml, and an HTML file named report.html. 

    $ pfexec compliance report -a recommended
/var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html

    If you run the same compliance assess command again, the files are not replaced. The system differentiates the assessments by UUID. For example: 

    $ compliance list -a recommended
recommended
    UUID: 12345678-1111-1111-1111-12345678abcd
    UUID: ab345678-1111-1111-1111-12345678abcd
  5. View the full report.

    You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer.

    For example, to view the latest report.html, type the following browser entry: 

    file:///var/share/compliance/assessments/ab345678-1111-1111-1111-12345678abcd/report.html

    To display an earlier assessment, use its UUID in the browser entry, as in: 

    file:///var/share/compliance/assessments/12345678-1111-1111-1111-12345678abcd/report.html
  6. Fix any failures that must pass.
    1. Complete the fix for the entry that failed.
    2. If the fix includes rebooting the system, reboot the system before running the assessment again.