Tailoring meets Solaris Compliance

With Solaris 11.3 Oracle addded a new feature to compliance. Tailoring it is called and pretty much does exactly that. Instead of having to manually customize benchmark files tailoring will do the job for you. That’s the trivial description of what tailoring does.
But underneath the hood tailoring is capable of so much more. Used the right way it takes the automation of compliance reporting to a more sophisticated level.

How to get started

Before talking about how tailoring can enhance the way you use and customize compliance in Solaris let me quickly walk you through how it works.
Using tailoring is as simple and intuitive as running an assessment. All you need to do is type “compliance tailor -t “. The -t option declares which tailoring shall be loaded. In case none exists it will be created. It is not a required option but in order to store the tailoring you will have to set the name manually by using “set tailoring=” later on anyway.

Example without the option:

ROOT@AP6S500 > compliance tailor

Documented commands (type help ):
clear   delete   exit    include  list  pick  value 
commit  exclude  export  info     load  set   values

Miscellaneous help topics:

tailoring> set tailoring=tailoring.tm
tailoring:tailoring.tm> info
        benchmark: not set
        profile: not set

Example with -t:

ROOT@AP6S500 > compliance tailor -t tailoring.tm2 
*** compliance tailor: Can't load tailoring 'tailoring.tm2': no existing tailoring: 'tailoring.tm2', initializing

tailoring:tailoring.tm2> info
        benchmark: not set
        profile: not set

As the examples already showed the tailoring CLI command info shows which tailoring, benchmark and profile are set.
From this point on you could use set …=… all the way till your tailoring is done and you commit it. If you rather would like to save some time and typing pick will be the command of your choice.

tailoring:tailoring.tm2> pick

Use the arrow-keys to navigate up and down and pick the benchmark and profile that you would like to take for your tailoring. This can be seen as sort of a template. When you have done your selection pres ESC. info will show what you selected.

tailoring:tailoring.tm2> info

tailoring, benchmark and profile are set, which means tests can be picked now.

tailoring:tailoring.tm2> pick

The picture above shows the tests of the earlier chosen benchmark and profile. “x” stands for excluded while “>” indicates an activated test. This is where you tailor your compliance check. As before press “ESC” when you are done.
With the command export yo can see what changes you have made. The output that is shown then are the commands that can be used to manually include and exclude tests instead of using pick.

tailoring:tailoring.tm2> export
set tailoring=tailoring.tm2
# version=2016-02-26T16:44:36.000+00:00
set benchmark=tm
set profile=tm
tailoring:tailoring.tm2> pick
tailoring:tailoring.tm2> export
set tailoring=tailoring.tm2
# version=2016-02-26T17:02:10.000+00:00
set benchmark=tm
set profile=tm
# ivv-000: Compliance integrity is given
exclude ivv-000
# ivv-001: LDAP client configuration is ok
include ivv-001
# OSC-54005: Package integrity is verified
exclude OSC-54005
# OSC-53005: The OS version is current
exclude OSC-53005
# OSC-53505: Package signature checking is globally activated
exclude OSC-53505

Should you be interested in how the tailoring file itself will look like simply use the option -x. This will give you the XML output.
All that is left to do is commit your changes et voilá … exit and done!
In case you have been fiddling around and create a few tailorings already the list will list all the existing tailorings.

Tailoring vs. Benchmarks/Profiles only

After we flew through the basics of Solaris compliance tailoring we are already know enough to talk about why EVERYONE should use tailoring.
Maybe you have read one or even all of my earlier Solaris Compliance posts or heard me talking about it, if you might remember me saying it is really quiet fast and simple to customize. Well, it just got way easier. Not all out of the box yet but almost and I am sure someone already requested an enhancement. :-D
So what am I talking about?!
The files for Solaris compliance can be found under two paths. One is /usr/lib/compliance. This was probably the only one that you might have been working in in case you customized anything. For adding benchmarks, adding tests or editing profiles this was/is where you do it. Other than that all the content here is pretty much static until a change might come with an update (SRU). With Solaris 11.3 and tailoring the compliance benchmark directories received another directory called tailorings. By default this is empty.
All the changes and information done while using the compliance command are done under /var/share/compliance. It is important to understand that this content should stay untouched. Just leave this path to Solaris and the engineering. But it is always nice and helpful to know where to look for changes.
Let’s take a look at /var/share/compliance/tailorings.

G muehle@AP6S500 % ls -l /var/share/compliance/tailorings 
total 60
-rw-r--r--   1 root     root         495 Feb 16 14:21 ivv-tailor.xccdf.xml
-rw-r--r--   1 root     root         964 Feb 16 14:05 tailoring.tm.xccdf.xml
-rw-r--r--   1 root     root         952 Feb 26 18:07 tailoring.tm2.xccdf.xml
-rw-r--r--   1 root     root         489 Feb 17 14:03 test.xccdf.xml
-rw-r--r--   1 root     root       24844 Feb 17 15:11 test123.xccdf.xml

This is the place compliance tailor saves the tailorings after committing it. The content of /var/share/compliance/tailorings/tailoring.tm2.xccdf.xml is exactly what export -x showed us earlier.

Another very interesting directory is /var/share/compliance/assessments. I will write more about why this is hopefully soon. I am working on customizing Solaris compliance for a larger scale environment and this directory plays an important role for that.

But let’s get back on track and talk about how much of an enhancement tailoring is.
At the moment we have different IPS packages with different benchmarks. Each with different profiles. Just so different scenarios are covered.
Which means we spend some time customizing large XML files and we also do have to spend time on maintaining it.
Now, all we do is package up your tailoring file or a compliance tailor -f command file with includes and excludes in IPS. Less complexity and less maintaining! No more duplicating lines and lines of code only to have a different set of tests that is suppose to be used.
When you think about it tailorings are the delta to a certain benchmark. So, what if you would have one large benchmark that includes all the available tests and let’s say a preconfigured profile for solaris, pci-dss and a “complete profile”. To cerate your own profile just place your tailoring in /usr/lib/compliance/benchmark/benchmark-name/tailorings/ and run the following:

# compliance assess -t tailoring-name

Using different tests depending on the application has become really simple and quick to prepare and do. Your tailoring works everywhere no matter if a benchmarks has tests included or excluded. Really nice! Add IPS and Puppet to all of this and you can much more time on other topics.

Right now this “complete” benchmark needs to be created by the customer. Not much of a problem if you already took care of that but I would guess not too many have. But even if you have your own all containing benchmark with each update you might be missing something in it. Tests or what so ever. So you still have to maintain thousands of lines of XML content. :-(
So hopefully such a benchmark will make it into a future release of compliance.

Tailoring simplifies Solaris Compliance a lot and saves you a lot of time. It is great! Try it!

Leave a Reply

Your email address will not be published. Required fields are marked *