News, tips, partners, and perspectives for the Oracle Solaris operating system

Compliance reporting with SCAP

Darren Moffat
Senior Software Architect

In Solaris 11.1 we added the early stages of our (security) Compliance framework.  We have (like some other OS vendors) selected to use the SCAP (Security Content Automation Protocol) standard from NIST.  There are a number of different parts to SCAP but for Compliance reporting one of the important parts is the OVAL (Open Vulnerability Assesment Language) standard.  This is what allows us to write a checkable security policy and verify it against running systems.

The Solaris 11.1 repository includes the OpenSCAP tool that allows us to generate reports written in the OVAL language (as well as other things but I'm only focusing on OVAL for now).

OVAL is expressed in XML with a number of generic and OS/application specific schema.  Over time we expect to deliver various sample security policies with Solaris to help customers with Compliance reporting in various industries (eg, PCI-DSS, DISA-STIG, HIPAA).

The XML in the OVAL langauge is passed to the OpenSCAP tool for evaluation, it produces either a simple text report of which checks passed and which failed or an XML results file and an optional HTML rendered report.

Lets look at a simple example of an policy written in OVAL.  This contains just one check, that we have configured the FTP server on Solaris to display a banner.  We do this in Solaris 11 by updating /etc/proftpd.conf to add the "DisplayConnect /etc/issue" line - which is not there by default.   So in a default Solaris 11.1 system we should get a "fail" from this policy.

The OVAL for this check was generated by a tool called "Enhanced SCAP Editor (eSCAPe)" which is not included in Solaris.  It could well have been hand edited in your text editor of choice. In a later blog posting I'll attempt to explain more of the OVAL
language and give some more examples, including some Solaris specific
ones but for now here is the raw XML:

<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent
independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
<oval:product_name>Enhanced SCAP Editor</oval:product_name>
<definition id="oval:com.oracle.solaris11:def:840" version="1" class="compliance">
<title>Enable a Warning Banner for the FTP Service</title>
<affected family="unix">
<platform>Oracle Solaris 11</platform>
<description>/etc/proftpd.conf contains "DisplayConnect /etc/issue"</description>
<criteria operator="AND" negate="false" comment="Single test">
<criterion comment="/etc/proftpd.conf contains &quot;DisplayConnect /etc/issue&quot;"
test_ref="oval:com.oracle.solaris11:tst:8400" negate="false"/>

id="oval:com.oracle.solaris11:tst:8400" version="1" check="all"
comment="/etc/proftpd.conf contains &quot;DisplayConnect /etc/issue&quot;"

<object object_ref="oval:com.oracle.solaris11:obj:8400"/>

id="oval:com.oracle.solaris11:obj:8400" version="1"
comment="/etc/proftpd.conf contains &quot;DisplayConnect /etc/issue&quot;">
<path datatype="string" operation="equals">/etc</path>
<filename datatype="string" operation="equals">proftpd.conf</filename>
<pattern datatype="string"

operation="pattern match">^DisplayConnect\s/etc/issue\s$</pattern>
<instance datatype="int" operation="greater than or equal">1</instance>

We can evaluate this policy on a given host by using OpenSCAP like this:

$ oscap oval eval ftp-banner.xml 
Definition oval:com.oracle.solaris11:def:840: false
Evaluation done.

As you can see we got the expected failure of the test, but that output isn't very useful, lets instead generate some html output:

$ oscap oval eval --results results.xml --report report.html ftp-banner.xml
Definition oval:com.oracle.solaris11:def:840: false
Evaluation done.
OVAL Results are exported correctly.

Now we have a report.html file which looks like a bit like this:

OVAL Results Generator Information
Schema Version Product Name Product Version Date Time
5.8  cpe:/a:open-scap:oscap 
2013-01-24 14:18:55 
OVAL Definition Generator Information
Schema Version Product Name Product Version Date Time
5.8  Enhanced SCAP Editor  0.0.11  2012-10-11 10:33:25 

System Information
Host Name braveheart 
Operating System SunOS 
Operating System Version 11.1 
Architecture i86pc 
Interface Name net0 
IP Address 
MAC Address aa:bb:cc:dd:ee:ff 
OVAL System Characteristics Generator Information
Schema Version Product Name Product Version Date Time
5.8  cpe:/a:open-scap:oscap 
2013-01-24 14:18:55 
Oval Definition Results





 Not Applicable  

 Not Evaluated  
OVAL ID Result Class Reference ID Title
oval:com.oracle.solaris11:def:841 true compliance
Enable a Warning Banner for the SSH Service 

oval:com.oracle.solaris11:def:840 false compliance
Enable a Warning Banner for the FTP Service 

As you probably noticed write away the report doesn't match the OVAL I gave above because the report is actually from a very slightly larger OVAL file which checks the banner exists for both SSH and FTP.  I did this purely to cut down on the amount of raw XML above but also so the report would show both a success and failure case.

Join the discussion

Comments ( 3 )
  • guest Tuesday, October 4, 2016

    Where [how] do we place the DISA-STIG files to be able to use the builtin compliance reporting tool?


  • guest Wednesday, October 5, 2016

    To add an additional benchmark that is written in XCCDF do this:

    mkdir /usr/lib/compliance/benchmarks/disa-stig

    put the xccdf file in there as xccdf.xml

    If you are using the Solaris provided OVAL checks by reference then you may need a symlink to ../tests/ in there too.

  • Ndayambaje jean damascene Wednesday, October 10, 2018
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.