With Solaris 11.3 Oracle addded a new feature to compliance. Tailoring it is called and pretty much does exactly that. Instead of having to manually customize benchmark files tailoring will do the job for you. That’s the trivial description of what tailoring does.
But underneath the hood tailoring is capable of so much more. Used the right way it takes the automation of compliance reporting to a more sophisticated level.
How to get started
Before talking about how tailoring can enhance the way you use and customize compliance in Solaris let me quickly walk you through how it works.
Using tailoring is as simple and intuitive as running an assessment. All you need to do is type “compliance tailor -t
Example without the option:
ROOT@AP6S500 > compliance tailor Documented commands (type help
): ======================================== clear delete exit include list pick value commit exclude export info load set values Miscellaneous help topics: ========================== tailoring tailoring> set tailoring=tailoring.tm tailoring:tailoring.tm> info Properties: tailoring=tailoring.tm benchmark: not set profile: not set tailoring:tailoring.tm>
Example with -t:
ROOT@AP6S500 > compliance tailor -t tailoring.tm2 *** compliance tailor: Can't load tailoring 'tailoring.tm2': no existing tailoring: 'tailoring.tm2', initializing tailoring:tailoring.tm2> info Properties: tailoring=tailoring.tm2 benchmark: not set profile: not set
As the examples already showed the tailoring CLI command info shows which tailoring, benchmark and profile are set.
From this point on you could use set …=… all the way till your tailoring is done and you commit it. If you rather would like to save some time and typing pick will be the command of your choice.
Use the arrow-keys to navigate up and down and pick the benchmark and profile that you would like to take for your tailoring. This can be seen as sort of a template. When you have done your selection pres ESC. info will show what you selected.
tailoring:tailoring.tm2> info Properties: tailoring=tailoring.tm2 benchmark=tm profile=tm
tailoring, benchmark and profile are set, which means tests can be picked now.
The picture above shows the tests of the earlier chosen benchmark and profile. “x” stands for excluded while “>” indicates an activated test. This is where you tailor your compliance check. As before press “ESC” when you are done.
With the command export yo can see what changes you have made. The output that is shown then are the commands that can be used to manually include and exclude tests instead of using pick.
tailoring:tailoring.tm2> export set tailoring=tailoring.tm2 # version=2016-02-26T16:44:36.000+00:00 set benchmark=tm set profile=tm tailoring:tailoring.tm2> pick tailoring:tailoring.tm2> export set tailoring=tailoring.tm2 # version=2016-02-26T17:02:10.000+00:00 set benchmark=tm set profile=tm # ivv-000: Compliance integrity is given exclude ivv-000 # ivv-001: LDAP client configuration is ok include ivv-001 # OSC-54005: Package integrity is verified exclude OSC-54005 # OSC-53005: The OS version is current exclude OSC-53005 # OSC-53505: Package signature checking is globally activated exclude OSC-53505
Should you be interested in how the tailoring file itself will look like simply use the option -x. This will give you the XML output.
All that is left to do is commit your changes et voilá … exit and done!
In case you have been fiddling around and create a few tailorings already the list will list all the existing tailorings.
Tailoring vs. Benchmarks/Profiles only
After we flew through the basics of Solaris compliance tailoring we are already know enough to talk about why EVERYONE should use tailoring.
Maybe you have read one or even all of my earlier Solaris Compliance posts or heard me talking about it, if you might remember me saying it is really quiet fast and simple to customize. Well, it just got way easier. Not all out of the box yet but almost and I am sure someone already requested an enhancement. :-D
So what am I talking about?!
The files for Solaris compliance can be found under two paths. One is /usr/lib/compliance. This was probably the only one that you might have been working in in case you customized anything. For adding benchmarks, adding tests or editing profiles this was/is where you do it. Other than that all the content here is pretty much static until a change might come with an update (SRU). With Solaris 11.3 and tailoring the compliance benchmark directories received another directory called tailorings. By default this is empty.
All the changes and information done while using the compliance command are done under /var/share/compliance. It is important to understand that this content should stay untouched. Just leave this path to Solaris and the engineering. But it is always nice and helpful to know where to look for changes.
Let’s take a look at /var/share/compliance/tailorings.
G muehle@AP6S500 % ls -l /var/share/compliance/tailorings total 60 -rw-r--r-- 1 root root 495 Feb 16 14:21 ivv-tailor.xccdf.xml -rw-r--r-- 1 root root 964 Feb 16 14:05 tailoring.tm.xccdf.xml -rw-r--r-- 1 root root 952 Feb 26 18:07 tailoring.tm2.xccdf.xml -rw-r--r-- 1 root root 489 Feb 17 14:03 test.xccdf.xml -rw-r--r-- 1 root root 24844 Feb 17 15:11 test123.xccdf.xml
This is the place compliance tailor saves the tailorings after committing it. The content of /var/share/compliance/tailorings/tailoring.tm2.xccdf.xml is exactly what export -x showed us earlier.
Another very interesting directory is /var/share/compliance/assessments. I will write more about why this is hopefully soon. I am working on customizing Solaris compliance for a larger scale environment and this directory plays an important role for that.
But let’s get back on track and talk about how much of an enhancement tailoring is.
At the moment we have different IPS packages with different benchmarks. Each with different profiles. Just so different scenarios are covered.
Which means we spend some time customizing large XML files and we also do have to spend time on maintaining it.
Now, all we do is package up your tailoring file or a compliance tailor -f command file with includes and excludes in IPS. Less complexity and less maintaining! No more duplicating lines and lines of code only to have a different set of tests that is suppose to be used.
When you think about it tailorings are the delta to a certain benchmark. So, what if you would have one large benchmark that includes all the available tests and let’s say a preconfigured profile for solaris, pci-dss and a “complete profile”. To cerate your own profile just place your tailoring in /usr/lib/compliance/benchmark/benchmark-name/tailorings/ and run the following:
# compliance assess -t tailoring-name
Using different tests depending on the application has become really simple and quick to prepare and do. Your tailoring works everywhere no matter if a benchmarks has tests included or excluded. Really nice! Add IPS and Puppet to all of this and you can much more time on other topics.
Right now this “complete” benchmark needs to be created by the customer. Not much of a problem if you already took care of that but I would guess not too many have. But even if you have your own all containing benchmark with each update you might be missing something in it. Tests or what so ever. So you still have to maintain thousands of lines of XML content. :-(
So hopefully such a benchmark will make it into a future release of compliance.
Tailoring simplifies Solaris Compliance a lot and saves you a lot of time. It is great! Try it!