News, tips, partners, and perspectives for the Oracle Solaris operating system

Enterprise Health Checks in Oracle Solaris

Chris Beal
Senior Principal Software Engineer

I'm blogging about this now because I realise I didn't when Oracle Solaris 11.4 SRU27 came out. So it's a little bit late, but hopefully useful.

Oracle Solaris 11.1 introduced the compliance(8) tool and framework. This is designed as a security audit capability, to keep your security auditor happy it generates reports against certain benchmarks. The two main security ones are the solaris recommended security benchmark, and the pci-dss one.

When 11.4 was coming out we introduced an ehc-update (enterprise health check update) benchmark to check if the system was able to upgrade from 11.3 to 11.4.

Since 11.4 has been out for a while now (over two years) we've removed the ehc-update benchmark, as it no longer provides any value in 11.4. We have instead launched the ehc benchmark, or "Enterprise Health Check". The idea of this is to say how compliant your system is with Oracles best practices. This will be an ongoing set of improvements which will add more "Rules" the the ehc benchmark over time.

One of the rules is a replacement for the ehc-update benchmark as a whole in a single rule. It will report if you are using software that has been marked as "Legacy". Which for us means it will be removed from a future SRU.

To get this benchmark you need to install the ehc-solaris-policy package using:

# pkg install ehc-solaris-policy

It can be updated independently of the main parts of Oracle Solaris so periodically run:

# pkg update ehc-solaris-policy@latest

That way any new rules can be run without changing the version of Solaris you're running.

To run the benchmark it's as simple as:

# compliance assess -b ehc

There are lots of options to customise (or in compliance(8) language tailor) a benchmark. So if there are things you know about and don't want to be reminded of, they can be removed. You can also run the benchmark on a number of different systems using a roster.

All the reports can be retrieved via RAD/REST, and you get a nice html report showing the state of the system, and the output of the rules giving corrective actions.

Here's one I prepared earlier:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.