'\" te
.\" Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights                      reserved.
.TH compliance 1M "25 Feb 2015" "SunOS 5.11" "System Administration Commands"
.SH NAME
compliance \- Administer security compliance tests
.SH SYNOPSIS
.LP
.nf
\fBcompliance list\fR [\fB-v\fR] [\fB-p\fR]
.fi

.LP
.nf
\fBcompliance list\fR \fB-b\fR [\fB-v\fR] [\fB-p\fR] [\fIbenchmark\fR ...]
.fi

.LP
.nf
\fBcompliance list\fR \fB-a\fR [\fB-v\fR] [\fIassessment\fR ...] 
.fi

.LP
.nf
\fBcompliance guide\fR [\fB-p\fR \fIprofile\fR] [\fB-b\fR \fIbenchmark\fR] [\fB-o\fR \fIfile\fR]
.fi

.LP
.nf
\fBcompliance guide\fR \fB-a\fR
.fi

.LP
.nf
\fBcompliance assess\fR [\fB-p\fR \fIprofile\fR] [ \fB-b\fR \fIbenchmark\fR] [ \fB-a\fR \fIassessment\fR]
.fi

.LP
.nf
\fBcompliance report\fR [\fB-f\fR \fIformat\fR] [\fB-s\fR \fIwhat\fR] [\fB-a\fR \fIassessment\fR] [\fB-o\fR \fIfile\fR]
.fi

.LP
.nf
\fBcompliance delete\fR \fIassessment\fR
.fi

.SH DESCRIPTION
.sp
.LP
The compliance program administers security compliance policies. The command has six subcommands: \fBlist\fR, \fBguide\fR, \fBassess\fR, \fBreport\fR, \fBdelete\fR, and \fBtailor\fR.
.sp
.LP
The compliance program produces security assessments and reports using benchmarks and profiles. An assessment is an evaluation of the security configuration of a system, conducted against a benchmark. A benchmark is a programmatically-interpretable specification of acceptable ranges of the security parameters of a system. A profile selects which tests from a benchmark are to be evaluated in an assessment; a set of profiles is specified as part of the benchmark. A report is a form of the results of conducting an assessment. A tailoring specifies a profile externally to a benchmark.
.sp
.LP
The \fBlist\fR command lists information about the installed named benchmarks and the conducted assessments. By default, the benchmarks and assessments are listed one per line. If the \fB-v\fR option is specificed, additional descriptive information about each of the policies or assessments is included in the output. The \fB-b\fR option restricts the information to benchmarks, while the \fB-a\fR option restricts the information to assessments. If the \fB-p\fR option is specified, the profiles for each benchmark are listed. The \fB-a\fR option cannot be specified with either the \fB-b\fR or \fB-p\fR option. If the benchmark parameter is present, the information is restricted to the matching benchmark. If the assessment parameter is present, the information is restricted to the matching assessment.
.sp
.LP
The \fBassess\fR command tests the current system configuration against a benchmark and creates a results repository. The \fB-b\fR option can be used to specify the benchmark; if not specified the value defaults to solaris. The benchmark argument can be either an installed named benchmark or the absolute pathname of a benchmark in XCCDF (Extensible Configuration Checklist Description Format). The assessment can be limited to the named profile by the use of the \fB-p\fR option; if not specified the value defaults to the first profile, if any, defined by the benchmark. The \fB-t\fR option specifies that the assessment should be against the specified tailoring; since the benchmark and profile are implicitly specified by the tailoring, the \fB-b\fR and \fB-p\fR options cannot be used in conjunction with the \fB-t\fR option. The \fB-a\fR option can be used to specify the name of the assessment repository; if not specified the value defaults to one based on the parameters of the assessment and when it was conducted. The user must have all zone privileges and the solaris.compliance.assess authorization to conduct assessments; a user assigned the Compliance Assessor rights profile has the rights to conduct assessments.
.sp
.LP
The \fBreport\fR command provides the location of a report in the desired format for an assessment, generating the required format report if necessary. The \fB-a\fR option can be used to specify the name of the assessment repository; if not specified the value defaults to the most recently conducted assessment. If the \fB-o\fR option is not specified, the report is located in the assessment storage; a user assigned either the Compliance Reporter or Compliance Assessor rights profile has the rights to generate such reports. If the \fB-o\fR option is specified, the report is located at the \fIpathname\fR. The format of the compliance report can be selected by the \fB-f\fR option. Format options include \fBlog\fR, \fBxccdf\fR, and \fBhtml\fR. The default is \fBhtml\fR format.
.sp
.LP
For reports in the \fBhtml\fR format, the \fB-s\fR option can be used to select which result types should appear in the report. By default, all result types appear in the report except notselected or notapplicable. The \fBwhat\fR operand is a comma separated list of result types to display in addition to the default. Individual results types can be suppressed by preceding them with a \fB-\fR, while starting the \fBwhat\fR list with an \fB=\fR specifies exactly which result types should be included. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, or fail.
.sp
.LP
The \fBdelete\fR command removes the results repository for the specified \fIassessment\fR, including all associated reports.
.sp
.LP
The \fBtailor\fR subcommand allows the user to create, view, edit, and manage tailorings. See \fBcompliance-tailor\fR(1M) for more details.
.SH EXIT STATUS
.sp
.LP
The following exit values are returned:
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.RS 6n
.rt  
Successful completion
.RE

.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.RS 6n
.rt  
Usage error
.RE

.sp
.ne 2
.mk
.na
\fB\fB2\fR\fR
.ad
.RS 6n
.rt  
The \fBassess\fR command may return this value indicating success of the command but incompliance of the assessed system.
.RE

.sp
.ne 2
.mk
.na
\fB\fB>2\fR\fR
.ad
.RS 6n
.rt  
Program failure
.RE

.SH BENCHMARKS
.sp
.LP
The \fBcompliance\fR command is delivered with a vendor-defined benchmark named \fBsolaris\fR. The profiles of this benchmark are specified as thresholds, so that systems with more secure settings of individual configuration parameters can pass the profile. The \fBsolaris\fR benchmark includes a Baseline profile corresponding to the default security configuration settings of a freshly-installed Oracle Solaris instance, and a Recommended profile corresponding to the vendor-recommended configuration for those systems where compatibilty with prior versions of Oracle Solaris is not a constraint.
.SH EXAMPLES
.LP
\fBExample 1 \fRDisplaying the Installed Named Benchmarks on the System
.sp
.LP
The following example shows how to display the installed named benchmarks on the system:

.sp
.in +2
.nf
% \fBcompliance list -bv\fR
cis.v1.0
       CIS Solaris 11 Security Benchmark, v1.0.0
pci.v2.0
       Payment Card Industry Data Security Standard, v2.0
solaris
       Solaris Security Policy
.fi
.in -2
.sp

.LP
\fBExample 2 \fRDisplaying the Profiles for the Solaris Benchmark
.sp
.LP
The following example shows how to display the profiles for the solaris benchmark:

.sp
.in +2
.nf
% \fBcompliance list -bp solaris\fR
solaris: Baseline Recommended
.fi
.in -2
.sp

.LP
\fBExample 3 \fRAssessing of the System by Using the Recommended Profile for the Solaris Benchmark
.sp
.LP
The following example shows how to take an assessement of the system by using the recommended profile for the Solaris benchmark, and store the results in the \fBCHECK\fR repository:

.sp
.in +2
.nf
% \fBcompliance assess -p Recommended -b solaris -a CHECK\fR
.fi
.in -2
.sp

.LP
\fBExample 4 \fRGenerating a Report Which Includes the Items of the \fBnotselected\fR Result Type
.sp
.LP
The following example shows how to generate a report which includes the items of the \fBnotselected\fR result type, but suppress the \fBinformational\fR result type:

.sp
.in +2
.nf
% \fBcompliance report -s notselected,-informational -a CHECK\fR
/var/share/compliance/assessments/CHECK/report.-informational,notselected.html
.fi
.in -2
.sp

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/usr/lib/compliance\fR\fR
.ad
.sp .6
.RS 4n
Directory of compliance programs, data, and test benchmarks.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/usr/lib/compliance/benchmarks\fR\fR
.ad
.sp .6
.RS 4n
Directory of packaged compliance benchmarks.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/var/share/compliance\fR\fR
.ad
.sp .6
.RS 4n
Directory of compliance assessment and reports.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
AvailibilityT{
security/compliancesecurity/compliance/benchmark/solaris-policy
T}
_
Interface StabilityCommitted
.TE

.SH SEE ALSO
.sp
.LP
\fBattributes\fR(5), \fBcompliance-tailor\fR(1M)
.sp
.LP
Solaris Security Guidelines
.SH NOTES
.sp
.LP
The \fBcompliance\fR command is executed against only the current operating system image. If other zones or domains need to be verified, separate invocations of \fBcompliance\fR should be made.
.sp
.LP
Users may use the following command to determine which version of the \fBsolaris\fR benchmark being used for assessments:
.sp
.in +2
.nf
% \fBpkg info solaris-policy\fR
.fi
.in -2
.sp