1. Oracle Solaris 11.4 Compliance Guide
  2. Centrally Managing Compliance Assessments
  3. Using Metadata to Manage Assessments

Using Metadata to Manage Assessments

The compliance assess -m matches command enables you to run an assessment with tags that you specify. You can later use these tags to select, list, and delete similarly-tagged assessments. For more information, see the Match Parameters section of the compliance(8) man page. The remote administration daemon (RAD) can retrieve metadata from assessments that are stored remotely.

Example 2-13 Managing Assessments by System Tags

System tags are attached to all assessments. In these examples, the administrator uses system metadata to identify and manage similar assessments.

  • This command finds all assessments from the month of September 2016. The output shows the UUID and the name of the assessment.

    $ compliance list -a -m 'Timestamp>2016-08-31 & Timestamp<2016-10-01'
        471761d4-2c39-11e6-bb5e-39c6d85e0d3a
                Name=passwdLength13Test.2016-09-07,17:57
        069cab5c-2c3c-11e6-bb60-39c6d85e0d3a
                Name=passwdLength13Test.2016-09-17,17:17

  • This command finds all assessments later than the month of August 2016 on the 192.0.2.122 remote system. 

    $ compliance list -a -m 'Timestamp>2016-08-31' -N test1@192.0.2.122

  • This command finds all assessments that share two tag values on a remote system.

    $ compliance list -a -m 'Timestamp>2016-08-31 & Architecture=sun4v' \
  -N test1@192.0.2.122

  • This command finds all assessments from the basic tailoring. 

    $ compliance list -am Tailoring=basic
        282356e8-3986-11e6-9c1e-c3e78f99d41d
                Name=HereBASIC
        3989813e-3e39-11e6-9c22-c3e78f99d41d
                Name=basicRemote2
        d0deea3e-3e56-11e6-978b-9f0b610d6a70
                Name=basicRemote1
        5f0038da-3e58-11e6-978c-9f0b610d6a70
                Name=basic.2016-09-07,17:27
        c9d9c748-3e58-11e6-978d-9f0b610d6a70
                Name=basic.Remote1

  • This series of commands finds all assessments that begin with example, copies them, lists the remote copies, then deletes the original assessments on the local system. 

    $ compliance list -a -m "Name>example & Name<f"
        33333333-4ea1-11e6-9691-fbfbfbfbfbfb
                Name=example-roster.2016-09-07,10:41
        11111111-4ea2-11e6-9692-abababababab
                Name=example-roster.2016-09-07,10:47
        22222222-4ea3-11e6-9693-dededededede
                Name=example-roster.2016-09-07,10:55'

$ pfexec compliance store -s mysparc -m "Name>example & Name<f"

$ compliance list -N mysparc -m "Name>example & Name<f"
Benchmarks:
        pci-dss
        solaris
Assessments:
        33333333-4ea1-11e6-9691-fbfbfbfbfbfb
                Name=example-roster.2016-09-07,10:41
        11111111-4ea2-11e6-9692-abababababab
                Name=example-roster.2016-09-07,10:47
        22222222-4ea3-11e6-9693-dededededede
                Name=example-roster.2016-09-07,10:55

$ pfexec compliance delete -n -m "Name>example & Name<f"
would delete assessment UUID=33333333-4ea1-11e6-9691-fbfbfbfbfbfb, Name=example-roster.2016-09-07,10:41
would delete assessment UUID=11111111-4ea2-11e6-9692-abababababab, Name=example-roster.2016-09-07,10:47
would delete assessment UUID=22222222-4ea3-11e6-9693-dededededede, Name=example-roster.2016-09-07,10:55

$ pfexec compliance delete -m "Name>example & Name<f"

Example 2-14 Deleting Assessments by Metadata

In these examples, the administrator deletes assessments based on their metadata.

  • This command finds all assessments that were run on SPARC systems, deletes them, and verifies the deletion.

    $ compliance list -am Architecture=sun4v
        62622916-2dc8-11e6-9c14-c3e78f99d41d
                Name=basic.2016-07-07,15:28
        87846452-2e90-11e6-9c15-c3e78f99d41d
                Name=basic.2016-07-09,15:21
        abc11504-2e90-11e6-9c16-c3e78f99d41d
                Name=basic.2016-07-09,15:22

$ pfexec compliance delete -am Architecture=sun4v
$ compliance list -am Architecture=sun4v
$

  • This command finds all assessments whose name begins with default and then deletes them. 

    $ compliance list -am "Name>default & Name<defaulu"
        94f67aae-3a24-11e6-bb79-39c6d85e0d3a
                Name=default.2016-09-07,08:59
        8142085e-52be-11e6-905f-753ff3457658
                Name=default.2016-09-25,16:21

$ pfexec compliance delete -am "Name>default & Name<default"

Example 2-15 Copying Assessments by Metadata

In this example, the administrator copies assessments that were run on SPARC systems and copies them to a common store. The assessments are now in two locations, the local system and the common store.

$ compliance list -am Architecture=sun4v
        62622916-2dc8-11e6-9c14-c3e78f99d41d
                Name=basic.2016-07-07,15:28
        87846452-2e90-11e6-9c15-c3e78f99d41d
                Name=basic.2016-07-09,15:21
        abc11504-2e90-11e6-9c16-c3e78f99d41d
                Name=basic.2016-07-09,15:22

$ pfexec compliance store -N mycommonstore -am Architecture=sun4v