How to Schedule a Regular Assessment of a System Using Its Default Policy

You must be assigned the Compliance Assessor rights profile to schedule assessments that can be added to the assessment store. To run the svccfg, you must be assigned the Service Configuration rights profile. For more information, see Rights to Run Compliance Assessments and Reports and Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

Change the default policy to the correct policy if needed.

List the default policy.

$ compliance get-policy
Benchmark:      solaris
Profile:        Baseline
Tailoring:

List the available benchmarks, profiles, and tailorings.

$ compliance list -p
pci-dss:        Solaris_PCI-DSS
solaris:        Baseline, Recommended
$ compliance list -t
        basic
        RKerberos

You can also use the compliance tailor list command to list the available tailorings.

Set the correct default policy for this system.
In this example, you assign an existing tailoring as the default policy.
```
$ pfbash ; compliance set-policy -t RKerberos
$ compliance get-policy
Benchmark:
Profile:
Tailoring:    RKerberos
```

Before changing to a new schedule, return the schedule to the default schedule.

$ svccfg -s compliance:default delcust
$ svccfg -s compliance:default listprop scheduled
 scheduled           schedule
 scheduled/frequency integer     1
 scheduled/interval  astring     week

Set the new schedule and list it.
```
$ svccfg -s compliance:default setprop scheduled/property  =  type:   value
$ svccfg -s compliance:default listprop scheduled
scheduled           schedule
scheduled/frequency integer     1
scheduled/interval  astring     week
scheduled/property
type
value
$ svcadm refresh compliance:default
```
Several properties are defined for scheduled services, such as scheduled/hour and scheduled/day_of_week. For examples of these properties, see Example 1-12 and Example 1-13. For more information, see How to Schedule a Periodic or Scheduled Service in Managing System Services in Oracle Solaris 11.4 and the svc.periodicd(8) man page.
Refresh the service.
```
$ svcadm refresh compliance:default
```

Enable the service if it is not enabled.

$ svcs -x compliance:default
svc:/application/security/compliance:default (Scheduled compliance assessment)
 State: disabled since Fri Jan  8 10:10:10 2016
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: compliance(8)
   See: /var/svc/log/application-security-compliance:default
Impact: This service is not running.
$ svcadm enable compliance:default
$ svcs compliance:default
STATE          STIME    FMRI
online         10:21:22 svc:/application/security/compliance:default

Verify that the initial run is scheduled.

$ svcs -o lrun,nrun compliance:default
LRUN     NRUN 
         Jan_08

After the initial run, verify that the assessment ran.

$ svcs -o lrun,nrun compliance:default
LRUN     NRUN
02:10:10 Jan_08

View the assessment in a browser.

Locate the report.

$ pfexec compliance report
/var/share/compliance/assessments/1111abcd-1111-1111-1111-12345678abcd/report.html

To view the report, type the file location into the browser.

file:///var/share/compliance/assessments/1111abcd-1111-1111-1111-12345678abcd/report.html

Example 1-9 Setting the Default Policy to a Benchmark or Profile

This example sets the default policy to the Recommended profile of the solaris benchmark.

$ compliance list -p
pci-dss:        Solaris_PCI-DSS
solaris:        Baseline, Recommended
$ compliance set-policy -b solaris -p Recommended
$ compliance get-policy
Benchmark:      solaris
Profile:        Recommended
Tailoring:

Example 1-10 Running the ehc Benchmark

This example shows you how to install the ehc-solaris-policy package, list the installed benchmarks, and run the ehc benchmark.

$ pkg install ehc-solaris-policy
...
$ compliance list -b
    ehc
    pci-dss
    solaris
$ compliance assess -b ehc
...

Example 1-11 Setting the Default Policy to an Installed Tailoring

This example sets the default policy to the RKerberos tailoring, which the administrator installed as a package.

$ compliance set-policy -b solaris -t RKerberos
$ compliance get-policy
Benchmark:    solaris
Profile:      Recommended
Tailoring:    RKerberos

For the contents of the RKerberos tailoring, see Creating a Kerberos Tailoring From the Recommended Profile.

Example 1-12 Scheduling the Weekday and Hour of an Assessment

In this example, the root role adds to the default schedule by specifying the day of the week and the hour that the assessment should run. After refreshing the service, root checks that the new schedule is valid.

$ pfbash ; svccfg -s compliance:default setprop scheduled/day  =  astring:  Sunday
$ svccfg -s compliance:default setprop scheduled/hour  =  integer:  2
$ svccfg -s compliance:default listprop scheduled
scheduled           schedule
scheduled/frequency integer     1
scheduled/interval  astring     week
scheduled/day       astring     Sunday
scheduled/hour      integer     2
$ svcadm refresh compliance:default
$ svcs -x compliance:default
svc:/application/security/compliance:default (Scheduled compliance assessment)
 State: online since Fri Jan 08 11:11:11 2016
 ...

Example 1-13 Running a Policy Assessment Daily

In this example, the root role changes the assessment to run daily after 2 a.m. After refreshing the service, root checks that the new schedule is in effect.

$ pfbash ; svccfg -s compliance:default setprop scheduled/interval  =  astring:  day
$ svccfg -s compliance:default setprop scheduled/hour  =  integer:  2
$ svcadm refresh compliance:default
$ svccfg -s compliance:default listprop scheduled
scheduled           schedule
scheduled/frequency integer     1
scheduled/interval  astring     day
scheduled/hour      integer     2
$ svcs compliance:default
STATE          STIME    FMRI
online          11:11:11 svc:/application/security/compliance:default
$ svcs -o lrun,nrun compliance:default
LRUN     NRUN
-        Jan_08