With version 11.1 Oracle added OpenSCAP to its Solaris IPS repository.
OpenSCAP is using NIST standards to verify the compliance of a system. Wether it is about installed packages or certain system configurations. This sounds really great but it is not as easy to handle. There are a few tools out there to handly the different data exchange formats and help you create your own checks. Which means you will end up with a handfull of tools to manage the compliance topic. Still better than nothing though or doing it all by hand.
The Solaris engineering though seemed to feel with the users and used their Python expertise to simplify users experience. With Solaris 11.2 there are only a few things to know to get started.
OpenScap is still installed but the user doen’t need to use its complex command structure. With Solaris 11.2 it is all about compliance! And that’s the command too. Easy, right!
Let’s start with the complaince command.
# compliance No command specified Usage: compliance list [-v] [-p] compliance list -b [-v] [-p] [benchmark ...] compliance list -a [-v] [assessment ...] compliance guide [-p profile] [-b benchmark] [-o file] compliance guide -a compliance assess [-p profile] [-b benchmark] [-a assessment] compliance report [-f format] [-s what] [-a assessment] [-o file] compliance delete assessment
As you can see this will be almost trivial to use. The comends speak for itself. List will show show you information about benchmarks, profiles and assessments. Guide is great for people who like to read about a feature before using it ;). Assess will get you really going and by default outputs everything on stdout. Report let’s you generate reports in three different formats (log, xccdf, and html).
After you installed compliance
# pkg install compliance
you are ready to run compliance checks. And as I said before it is simple without any additional configuration needed.
# compliance assess Assessment will be named 'solaris.Baseline.2015-02-02,11:14' Package integrity is verified OSC-54005 ... Check all default audit properties OSC-02000 pass
Done. Actually if you just want to get started with compliance and get a hang of it this would be all you need. What this does is to use the default benchmark and it’s default profile.
In this case it is solaris – Baseline. Instead of just using assess you could also say compliance assess -b solaris -p Baseline but no need for the all the extra typing unless you want to use a different benchmark or/and profile.
# compliance list -p Benchmarks: pci-dss: Solaris_PCI-DSS solaris: Baseline, Recommended Assessments: solaris.Baseline.2014-12-22,20:52
As you can see above -p will not only list the available assesssment(s) and benchmarks but also it’s profile(s).
The following will runn the pci-dss benchmark.
# compliance assess -b pci-dss
Let’s check out the report command. As I have mentioned it earlier in this post compliance in Solaris 11.2 is all about giving the user the opportunity to take care of compliance in a simple administrative way.
So this is how you generate a html report:
# compliance report /var/share/compliance/assessments/solaris.Baseline.2015-02-02,11:14/report.html
The header includes a handfull of information like the hostname, date, profile, etc.. The score indicates how many of the run tests failed or passed. For more details just look at the Rule Results Summary. As you can see out of 200 rules/tests/checks 125 passed, 18 failed, and 57 where not selected. If a rule fails just click on the link and more information will be provided.
It can’t be easier than this. I am awere that there are tools out there and that this is OpenSCAP in the background, but which OS provides you such a handy tool to skip the annoying usage of extremly long commands or the setup of third-party tools.
And remember this was only the basics which everyone can do right away after installation. Compliance has more to offer than just this.
As Darren Moffat already pointed out in his blog entry so far this needs to be done on the server itself, but the engineers are working on a remote version of compliance.
One more small thing, don’t panic if you run into failed rules which in your eyes should pass. The compliance team is aware of this and will deliver the fixes within the upcoming SRUs. Most tests have been already fixed. So the best thing would be to use the lastest version. Latest is greatest!