When we introduced the compliance framework in Solaris 11.2 there was no easy way to customise (tailor) the policies to suit individual machine or site deployment needs. While it was certainly possible for users familiar with the XCCDF/OVAL policy language it wasn't easy to do in away that preserved your customisations while still allowing access to new and policy rules when the system was updated.
To address this a new subcommand for compliance(1M) has been added that allows creation of a tailoring. The initial release of tailoring in Solaris 11.3 allows the enabling and disabling of individual checks, and the team is already working on enhancing it to support variables in a future release.
The default and simplest way of using 'compliance tailor' is use the interactive pick tool:
# compliance tailor -t mysite
*** compliance tailor: No existing tailoring 'mysite', initializing
The above shows the interactive mode where using 'x' or 'space' allows us to enable or disable an individual test. Note also that since the Solaris 11.2 release all the tests have been renumbered and now have unique rule identifiers that are stable across releases of Solaris. The same rule number always refers to the same test in all of the security benchmark policy files delivered with Solaris.
When exiting from the interactive pick mode just type 'commit' to write this out to a locally installed tailoring; that will create an XCCDF tailoring file under /var/share/compliance/tailorings. Those tailoring files should not be copied from release to release.
There is also an 'export' action for the tailoring subcommand that allows you to save off your customisations for importing into a different system, this works similarly to zonecfg(1M) export.
$ compliance tailor -t mysite export | tee /tmp/mysite.out
# OSC-16005: All local filesystems are ZFS
# OSC-15000: Find and list files with extended attributes
# OSC-35000: /etc/motd and /etc/issue contain appropriate policy text
The saved command file can then be used for input redirection to create the same tailoring on another system.
To run an assessment of the system using a tailoring we simply need to do this:
# compliance assess -t mysite
Assessment will be named 'mysite.2015-06-29,15:22'
Title Package integrity is verified