News, tips, partners, and perspectives for the Oracle Solaris operating system

Security Compliance Reporting for Oracle Solaris 11

Darren Moffat
Senior Software Architect

During the Oracle Solaris 11 launch (November 2011) one of the questions I was asked from the audience was from a retail customer asking for documentation on how to configure Oracle Solaris to pass a PCI-DSS audit.  At that time we didn't have anything beyond saying that Oracle Solaris was secure by default and it was no longer necessary to run the Solaris Security Toolkit to get there.  Since then we have produced a PCI-DSS white paper with Coalfire (a PCI-DSS QSA) and we have invested a significant amount of work in building a new Compliance Framework and making compliance a "lifestyle" feature in Solaris core development. We delievered OpenSCAP in Oracle Solaris 11.1 since SCAP is the foundation language of how we will provide compliance reporting. In Oracle Solaris 11.2 we added a new command compliance(1M) for running system assesments against security/compliance benchmarks and for generating html reports from those.  A lot of work went into generating the content as well as the framework, and we have been continuously updating and adding the check rules.

When we introduced the compliance framework in Oracle Solaris 11.2 there was no easy way to customise (tailor) the policies to suit individual machine or site deployment needs. While it was certainly possible for users familiar with the XCCDF/OVAL policy language it wasn't easy to do in away that preserved your customisations while still allowing access to new and policy rules when the system was updated. To address this a new subcommand for compliance(1M) was added in Oracle Solaris 11.3 that allows proides for this customisation.  The initial release of tailoring in Oracle Solaris 11.3 allows the enabling and disabling of individual checks, later we added variable level customisation.

There is more functionality for compliance planned for future update releases, but for now here is a reminder of how easy it is to get started with compliance reporting:

# pkg install security/compliance 
# compliance assess
# compliance report

That will give us an html report that we can then view.  Since we didn't give any compliance benchmark name it defaults to 'Solaris Baseline', so now lets install and run the PCI-DSS benchmark. The 'security/compliance' package has a group dependency for 'security/compliance/benchmark/pci-dss' so it will be installed already but if you don't want it you can remove that benchmark and keep the others and the infrastructure.

# compliance assess -b pci-dss
Assessment will be named 'pci-dss.Solaris_PCI-DSS.2014-04-14,16:39'
# compliance report -a pci-dss.Solaris_PCI-DSS.2014-04-14,16:39

That will give you the path to an HTML report file that you can view in your browser. The full report has a summary section, over all score at the top, for example:

This is followed by the details of each of the checks and their pass/fail status:

The report is interactive and we can filter it to show only the failing results but we can also do that when we generate the report from the CLI like this:

# compliance report -s fail -a pci-dss.Solaris_PCI-DSS.2014-04-14,16:39

Now lets say we want to turn off some of those checks that are failing because they are not relevant to our deployment. The simplest way of using 'compliance tailor' is use the interactive pick tool:

# compliance tailor -t mysite
*** compliance tailor: No existing tailoring 'mysite', initializing
tailoring:mysite> pick

The above shows the interactive mode where using 'x' or 'space' allows us to enable or disable an individual test.  Note also that since the Oracle Solaris 11.2 release all the tests have been renumbered and now have unique rule identifiers that are stable across releases.  The same rule number always refers to the same test in all of the security benchmark policy files delivered with the operating system.

When exiting from the interactive pick mode just type 'commit' to write this out to a locally installed tailoring; that will create an XCCDF tailoring file under /var/share/compliance/tailorings.  The XML tailoring files should not be copied across update releases, instead use the export functionality.

The 'export' action for the tailoring subcommand that allows you to save off your customisations for importing into a different system, this works similarly to zonecfg(1M) export.

$ compliance tailor -t mysite export | tee /tmp/mysite.out
set tailoring=mysite
# version=2015-06-29T14:16:34.000+00:00
set benchmark=solaris
set profile=Baseline
# OSC-16005: All local filesystems are ZFS
exclude OSC-16005
# OSC-15000: Find and list files with extended attributes
include OSC-15000
# OSC-35000: /etc/motd and /etc/issue contain appropriate policy text
include OSC-35000

The saved command file can then be used for input redirection to create the same tailoring on another system.  You should assume that over time new checks will be added so you will want to periodically, and certainly at update release boundaries, review the list of included and excluded checks.

To run an assessment of the system using a tailoring we simply need to do this:

# compliance assess -t mysite
Assessment will be named 'mysite.2015-06-29,15:22'
Title   Package integrity is verified
Rule    OSC-54005
Result  PASS

We have more exciting functionality planned for the future. When Oracle Solaris 11.4 beta is available I'll be describing some of the new compliance features we have been working on including remote assesment, and graphing historical assesments in the new Web Dashboard.

Join the discussion

Comments ( 1 )
  • Yasin TARAKCI Saturday, December 2, 2017
    Great information. I'm waiting for more ...

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.