With version 11.1 Oracle added OpenSCAP to its Solaris IPS repository.
OpenSCAP is using NIST standards to verify the compliance of a system. Weather it is about installed packages or certain system configurations. This sounds really great but it is not as easy to handle. There are a few tools out there to handle the different data exchange formats and help you create your own checks. Which means you will end up with a handful of tools to manage the compliance topic. Still better than nothing though or doing it all by hand.
OpenSCAP is using NIST standards to verify the compliance of a system. Weather it is about installed packages or certain system configurations. This sounds really great but it is not as easy to handle. There are a few tools out there to handle the different data exchange formats and help you create your own checks. Which means you will end up with a handful of tools to manage the compliance topic. Still better than nothing though or doing it all by hand.
The Solaris engineering though seemed to feel with the users and used their Python expertise to simplify users’ experience. With Solaris 11.2 there are only a few things to know to get started.
OpenScap is still installed but the user doesn’t need to use its complex command structure. With Solaris 11.2 it is all about compliance! And that’s the command too. Easy, right!
Let’s start with the compliance command.
OpenScap is still installed but the user doesn’t need to use its complex command structure. With Solaris 11.2 it is all about compliance! And that’s the command too. Easy, right!
Let’s start with the compliance command.
# compliance
No command specified
Usage:
compliance list [-v] [-p]
compliance list -b [-v] [-p] [benchmark ...]
compliance list -a [-v] [assessment ...]
compliance guide [-p profile] [-b benchmark] [-o file]
compliance guide -a
compliance assess [-p profile] [-b benchmark] [-a assessment]
compliance report [-f format] [-s what] [-a assessment] [-o file]
compliance delete assessment
As you can see this will be almost trivial to use. The command speaks for itself. List will show you information about benchmarks, profiles and assessments. Guide is great for people who like to read about a feature before using it ;). Assess will get you really going and by default outputs everything on stdout. Report lets you generate reports in three different formats (log, xccdf, and html).
After you installed compliance
After you installed compliance
# pkg install compliance
you are ready to run compliance checks. And as I said before it is simple without any additional configuration needed.
# compliance assess
Assessment will be named 'solaris.Baseline.2015-02-02,11:14'
Package integrity is verified
OSC-54005
...
Check all default audit properties
OSC-02000
pass
Done. Actually if you just want to get started with compliance and get a hang of it this would be all you need. What this does is to use the default benchmark and its default profile.
In this case it is solaris – Baseline. Instead of just using assess you could also say compliance assess -b solaris -p Baseline but no need for the all the extra typing unless you want to use a different benchmark or/and profile.
In this case it is solaris – Baseline. Instead of just using assess you could also say compliance assess -b solaris -p Baseline but no need for the all the extra typing unless you want to use a different benchmark or/and profile.
# compliance list -p
Benchmarks:
pci-dss: Solaris_PCI-DSS
solaris: Baseline, Recommended
Assessments:
solaris.Baseline.2014-12-22,20:52
As you can see above -p will not only list the available assessment(s) and benchmarks but also its profile(s).
The following will run the pci-dss benchmark.
The following will run the pci-dss benchmark.
# compliance assess -b pci-dss
Let’s check out the report command. As I have mentioned it earlier in this post compliance in Solaris 11.2 is all about giving the user the opportunity to take care of compliance in a simple administrative way.
So this is how you generate a html report:
So this is how you generate a html report:
# compliance report /var/share/compliance/assessments/solaris.Baseline.2015-02-02,11:14/report.html
The header includes a handful of information like the hostname, date, profile, etc.. The score indicates how many of the run tests failed or passed. For more details just look at the Rule Results Summary. As you can see out of 200 rules/tests/checks 125 passed, 18 failed, and 57 where not selected. If a rule fails just click on the link and more information will be provided.
For example, the following command creates an assessment using the Recommended profile.
# compliance -p Recommended -a recommended
The command creates a directory in /var/share/compliance/assessments named recommended that contains the assessment in three files: a log file, an XML file, and an HTML file.
# cd /var/share/compliance/assessments/recommended
# ls
recommended.html
recommended.txt
recommended.xml
If you run this command again, the files are not replaced. You must remove the files before reusing an assessment directory.
(Optional) Create a customized report.
# compliance report -s -pass,fail,notselected
/var/share/compliance/assessments/recommended/report.-pass,fail,notselected.html
This command creates a report that contains failed and not selected items in HTML format. The report is run against the most recent assessment.
You can run customized reports repeatedly. However, you can run the full reports, that is, the assessment, only once in the original directory.
View the full report.
You can view the log file in a text editor, view the HTML file in a browser, or view the XML file in an XML viewer.
For example, to view the customized HTML report from the preceding step, type the following browser entry:
file:///var/share/compliance/assessments/recommended/report.-pass,fail,notselected.html
Fix any failures that your security policy requires to pass.
- Complete the fix for the entry that failed.
- If the fix includes rebooting the system, reboot the system before running the assessment again.
(Optional) Run the compliance command as a cron job.
# cron -e
For daily compliance assessments at 2:30 a.m., root adds the following entry:
30 2 * * * /usr/bin/compliance assess -b solaris -p Baseline
For weekly compliance assessments at 1:15 a.m. Sundays, root adds the following entry:
15 1 * * 0 /usr/bin/compliance assess -b solaris -p Recommended
For monthly assessments on the first of the month at 4:00 a.m., root adds the following entry:
0 4 1 * * /usr/bin/compliance assess -b pci-dss
For assessments on the first Monday of the month at 3:45 a.m., root adds the following entry:
45 3 1,2,3,4,5,6,7 * 1 /usr/bin/compliance assess
(Optional) Create a guide for some or all of the benchmarks that are installed on your system.
# compliance guide -a
A guide contains the rationale for each security check and the steps to fix a failed check. Guides can be useful for training and as guidelines for future testing. By default, guides for each security profile are created at installation. If you add or change a benchmark, you might create a new guide.
How can I install OpenSCAP on Solaris 11?
ReplyDeleteI answer myself. It is included in "pkg install compliance" installation.
Delete