The compliance program produces security assessments and reports. Essentially an evaluation of the security configuration of a system, conducted against a benchmark.
No more having a list of things you have to check and having to follow some doc to implement the settings. The compliance command makes things easy peasy.
If you don't find the compliance command, install pkg:/security/compliance.
First off, list the assessments available.
# compliance list -p
Benchmarks:
pci-dss: Solaris_PCI-DSS
solaris: Baseline, Recommended
Assessments:
No assessments available
I recommend running the solaris Recommended check (if you've got cardholder information on your system, you'll need to be doing the pci-dss check instead).
compliance assess -b solaris -p Recommended
compliance report -a solaris.Recommended.2016-09-05,15:33
This outputs an html file that I usually mail myself. If you rock a GUI, then just view the html file in a browser.
Tadaaa! You now have a document that not only tells you what needs to be done - but also how to do it. And when everything in your report is green - now you have a report to forward onto the relevant people.
---
Some of you will end up with reports with some red in it because there are settings you don't want to/can't change. For example, on the SuperCluster, you're going to need NFS to access your storage. Luckily compliance gives you the ability to customise its assessments.
First list the rules we want to exclude:
compliance assess -t MySecurityPolicy
compliance report -a yadayadayada
And that's it folks, I went a step further and wrote a script to output the commands I need to implement the hardening, but I'm tired of writing this post. It's getting too long so here it ends.
No more having a list of things you have to check and having to follow some doc to implement the settings. The compliance command makes things easy peasy.
If you don't find the compliance command, install pkg:/security/compliance.
First off, list the assessments available.
# compliance list -p
Benchmarks:
pci-dss: Solaris_PCI-DSS
solaris: Baseline, Recommended
Assessments:
No assessments available
I recommend running the solaris Recommended check (if you've got cardholder information on your system, you'll need to be doing the pci-dss check instead).
compliance assess -b solaris -p Recommended
compliance report -a solaris.Recommended.2016-09-05,15:33
This outputs an html file that I usually mail myself. If you rock a GUI, then just view the html file in a browser.
Tadaaa! You now have a document that not only tells you what needs to be done - but also how to do it. And when everything in your report is green - now you have a report to forward onto the relevant people.
---
Some of you will end up with reports with some red in it because there are settings you don't want to/can't change. For example, on the SuperCluster, you're going to need NFS to access your storage. Luckily compliance gives you the ability to customise its assessments.
First list the rules we want to exclude:
Service svc:/network/nfs/status is disabled or not installed
OSC-40010
Service svc:/network/nfs/nlockmgr is disabled or not
installed OSC-38510
Service svc:/network/nfs/server is disabled or not installed
OSC-39510
Service svc:/network/nfs/rquota is disabled or not installed
OSC-39010
Service svc:/network/nfs/cbd is disabled or not installed
OSC-37010
Service svc:/network/nfs/mapid is disabled or not installed
OSC-38010
ssh(1) is the only service binding a listener to non-loopback
addresses OSC-73505
Next we create a custom assessment:
compliance
tailor -t MySecurityPolicy 'set
benchmark=solaris; set
profile=Recommended; exclude
OSC-40010; exclude
OSC-38510; exclude
OSC-39510; exclude
OSC-39010; exclude
OSC-37010; exclude
OSC-38010; exclude
OSC-73505; export'
You can, of course, use "include" if you needed to.
compliance assess -t MySecurityPolicy
compliance report -a yadayadayada
And that's it folks, I went a step further and wrote a script to output the commands I need to implement the hardening, but I'm tired of writing this post. It's getting too long so here it ends.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.