Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../../../usr/man/man8/compliance-tailor.8
Real path: /usr/share/man/man8/compliance-tailor.8
Zurück

'\" te
.\" Copyright (c) 2015, 2021, Oracle and/or its affiliates.
.TH compliance-tailor 8 "11 May 2021" "Oracle Solaris 11.4" "System Administration Commands"
.SH NAME
compliance-tailor \- Administer compliance tailorings
.SH SYNOPSIS

.LP
.nf
compliance tailor [-t \fItailoring\fR]
.fi

.LP
.nf
compliance tailor [-t \fItailoring\fR] \fIsubcommand\fR
.fi

.LP
.nf
compliance tailor [-t \fItailoring\fR] -f \fIcommand_file\fR
.fi

.LP
.nf
compliance tailor help
.fi
.SH DESCRIPTION
.sp
.LP
The \fBcompliance tailor\fR utility creates, modifies, and lists tailorings. The creation and modification functions are only available to authorized users and require that the process is executed with elevated privilege. Otherwise it runs in read-only mode.
.sp
.LP
A tailoring adjusts the set of rules from a benchmark applied when assessing against the tailoring.
.sp
.LP
The following synopsis of the compliance tailor command is for interactive usage:
.sp
.in +2
.nf
\fBcompliance tailor\fR \fB-t\fR \fItailoring subcommand\fR
.fi
.in -2
.sp
.sp
.LP
Parameters changed through \fBcompliance tailor\fR do not affect a running assessment.
.SS "Tailorings"
.sp
.LP
A benchmark is composed of profiles, groups, rules, and values. A rule defines specific checks to be made during an assessment. A value specifies a parameter which a rule can use in making a check. A group can contain rules, values, or other groups. A profile selects which of the rules or groups of rules are to be included or excluded in an assessment and/or the selection of values. A tailoring provides a means of expressing a new profile for a benchmark without altering the benchmark.
.sp
.LP
The user must have all zone privileges and the \fBsolaris.compliance.assess\fR authorization to update the tailoring store. A user assigned the Compliance Assessor rights profile has the rights to create, modify, and delete tailorings.
.SS "Properties"
.sp
.LP
A tailoring has several properties. The supported properties are; \fBtailoring\fR, \fBbenchmark\fR, \fBprofile\fR.
.sp
.LP
As for the property values that are paired with these names, they are simple strings terminated by white-space.
.sp
.LP
The \fBtailoring\fR property is the name of the tailoring. The \fBbenchmark\fR property identifies which benchmark the rules are from. The \fBprofile\fR property, if set, identifies which profile defined in the benchmark the tailoring profile is to be based on, expressing inclusion or exclusion of a few rules for which it differs from the base profile. Otherwise, the tailoring profile must have its own specification for inclusion or exclusion of all of the rules of the benchmark.
.SH OPTIONS
.sp
.LP
The following options are supported:

.sp
.ne 2
.mk
.na
\fB\fB-f\fR \fIcommand_file\fR\fR
.ad
.RS 19n
.rt
Specify the name of a tailoring command file. The \fIcommand_file\fR is a text file of tailoring subcommands, one per line. If the script does not cause the command invocation to terminate due to a \fBdelete\fR or \fBexit\fR subcommand, the command will default to interactive operation at the end of the script.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-t\fR \fItailoring\fR\fR
.ad
.RS 19n
.rt
Specify the name of a tailoring. Tailoring names are case sensitive. Tailoring names can contain alphanumeric characters, the underscore (_), the hyphen (-), and the dot (.). Installed tailoring names also contain a single slash (/).
.RE

.SH SUB-COMMANDS
.sp
.LP
\fBcompliance tailor\fR supports a semicolon-separated list of subcommands.
.sp
.LP
Subcommands which can result in destructive actions or loss of work have an \fB-F\fR option to force the action. If the input is from a terminal device, the user is prompted when appropriate, if such a command is given without the \fB-F\fR option. If such a command is given without the \fB-F\fR option, the action is disallowed, with a diagnostic message written to standard error.
.sp
.LP
The following subcommands are supported:

.sp
.ne 2
.mk
.na
\fB\fBclear\fR [\fB-F\fR] \fIproperty-name\fR\fR
.ad
.br
.sp .6
.RS 4n
Clear the value for the property.
.RE

.sp
.ne 2
.mk
.na
\fB\fBcommit\fR\fR
.ad
.br
.sp .6
.RS 4n
Commit the current tailoring from memory to stable storage. The tailoring must be committed to be used by \fBcompliance\fR assess. The \fBcommit\fR operation is attempted automatically upon completion of a \fBcompliance tailor\fR session.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdelete\fR [\fB-F\fR]\fR
.ad
.br
.sp .6
.RS 4n
Delete the specified tailoring from memory and stable storage. This action is instantaneous, no commit is necessary.
.sp
Specify the \fB-F\fR option to force the action.
.RE

.sp
.ne 2
.mk
.na
\fB\fBexclude\fR [\fB-a\fR] \fIitem\fR\fR
.ad
.br
.sp .6
.RS 4n
Exclude the specified \fIitem\fR from being checked in assessments. Use the \fB-a\fR option to exclude all rules defined by the benchmark.
.RE

.sp
.ne 2
.mk
.na
\fB\fBexit\fR [\fB-F\fR]\fR
.ad
.br
.sp .6
.RS 4n
Exit the \fBcompliance tailor\fR session. A commit is automatically attempted if needed. The \fB-F\fR option can be used to bypass any commit. You can also use an EOF character to exit \fBcompliance tailor\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBexport\fR [\fB-x\fR] [\fB-o\fR \fIoutput-file\fR]\fR
.ad
.br
.sp .6
.RS 4n
Print the current tailoring to standard output. Use the \fB-o\fR option to direct the output to \fIoutput-file\fR. This subcommand by default produces output in a form suitable for use with the \fBcompliance tailor\fR  \fB-f\fR option.
.sp
The \fB-x\fR option selects an xml format suitable for installation. This option provides only the content for an installed tailoring. For instance, a tailoring \fItname\fR on the benchmark \fIbname\fR should be installed in the file \fB/usr/lib/compliance/benchmarks/\fIbname\fR/tailorings/\fItname\fR.xccdf.xml\fR, but the creation of a suitable \fBpkg\fR manifest and publication of the package are not directly supported by \fBcompliance tailor\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBhelp\fR [\fIsubcommand\fR]\fR
.ad
.br
.sp .6
.RS 4n
Print general help or help about given topic.
.RE

.sp
.ne 2
.mk
.na
\fB\fBinclude\fR \fIitem\fR\fR
.ad
.br
.sp .6
.RS 4n
Include the specified \fIitem\fR among the rules to be checked in assessments.
.RE

.sp
.ne 2
.mk
.na
\fB\fBinfo\fR\fR
.ad
.br
.sp .6
.RS 4n
Display information about the tailoring.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlist\fR\fR
.ad
.br
.sp .6
.RS 4n
List the names of committed and installed tailorings. These names are valid as the parameter value of the \fB-t\fR option for both \fBcompliance\fR assess and \fBcompliance tailor\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBload\fR [\fB-F\fR] \fItailoring\fR\fR
.ad
.br
.sp .6
.RS 4n
Load the specified tailoring into memory from stable storage. If there is an uncommitted tailoring in memory, confirmation is sought before it is discarded.
.sp
Specify the \fB-F\fR option to force the action.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpick\fR [\fB-p\fR]\fR
.ad
.br
.sp .6
.RS 4n
Present a picking screen. By default, this is the group, rule, and value pick screen. If the \fB-p\fR option is given or the benchmark property is not yet set, the property pick screen described below will be presented.
.sp
On the group, rule, and value pick screen, each group or rule item is displayed as a line of text, including the item identifier and title. An exclusion is represented by the letter ’x’ appearing to the left of the item. A rule is checked in an assessment if it has no exclusion. A ’>’ character in reverse at the far left highlights rules to be checked.
.sp
On the group, rule, and value pick screen, a value item is displayed as two lines of text, the first containing the item identifier and title, and the second the value selections. A ’+’ character on the left marks the effective selection. The rightmost selection may be a entry selection (indicated by underlines). Selection of the entry selection results in a prompt for user entry of the parameter. If the entered text is within the range of the value, it is made the value selection.
.sp
The cursor on the pick screen indicates which item is active. The pick screen is manipulated through the command keys.
.sp

.sp
.ne 2
.mk
.na
\fB\fBESC\fR or \fBq\fR\fR
.ad
.RS 20n
.rt
Terminate the pick screen, return to interactive subcommands
.RE

.sp
.ne 2
.mk
.na
\fB\fBH\fR\fR
.ad
.RS 20n
.rt
Display help information
.RE

.sp
.ne 2
.mk
.na
\fB\fBDOWN-ARROW\fR or \fBj\fR\fR
.ad
.RS 20n
.rt
Move the cursor down to the next item
.RE

.sp
.ne 2
.mk
.na
\fB\fBUP-ARROW\fR or \fBk\fR\fR
.ad
.RS 20n
.rt
Move the cursor up to the previous item
.RE

.sp
.ne 2
.mk
.na
\fB\fBLEFT-ARROW\fR or \fBh\fR\fR
.ad
.RS 20n
.rt
Move the cursor left to the previous selection
.RE

.sp
.ne 2
.mk
.na
\fB\fBRIGHT-ARROW\fR or \fBl\fR\fR
.ad
.RS 20n
.rt
Move the cursor right to the next selection
.RE

.sp
.ne 2
.mk
.na
\fB\fBSPACE\fR or \fBx\fR\fR
.ad
.RS 20n
.rt
Pick the active item or toggle between include and exclude
.RE

.sp
.ne 2
.mk
.na
\fB\fB+\fR\fR
.ad
.RS 20n
.rt
Include the active item or make the selection effective
.RE

.sp
.ne 2
.mk
.na
\fB\fB-\fR\fR
.ad
.RS 20n
.rt
Exclude the active item
.RE

.sp
.ne 2
.mk
.na
\fB\fBf\fR\fR
.ad
.RS 20n
.rt
Page forward
.RE

.sp
.ne 2
.mk
.na
\fB\fBb\fR\fR
.ad
.RS 20n
.rt
Page backward
.RE

.sp
.ne 2
.mk
.na
\fB\fB/\fR\fR
.ad
.RS 20n
.rt
Search forward for an item identifier or title
.RE

.sp
.ne 2
.mk
.na
\fB\fB?\fR\fR
.ad
.RS 20n
.rt
Search backward for an item identifier or title
.RE

The property pick screen presents all valid combinations of benchmark and profile on which a tailoring can be made on the system. One of these combinations can be selected through this screen, using the same command keys from the table above.
.RE

.sp
.ne 2
.mk
.na
\fB\fBset\fR [\fB-F\fR] \fIproperty-name\fR=\fIproperty-value\fR\fR
.ad
.br
.sp .6
.RS 4n
Set a given property name to the given value.
.sp
Since the list of rules and the default selection of those rules is dependent on the \fBbenchmark\fR and \fBprofile\fR properties, all exclusions and inclusions are reset whenever either of those properties is set.
.sp
The \fBtailoring\fR property cannot be set to that of an installed tailoring.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvalue\fR \fIidentifier\fR=\fIvalue\fR\fR
.ad
.br
.sp .6
.RS 4n
Make a selection of the value with the specified \fIidentifier\fR.
.sp
The value must be in the range of the identifier.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvalues\fR [\fB-v\fR]\fR
.ad
.br
.sp .6
.RS 4n
Display the values associated with the underlying benchmark, and the tailoring’s selection for each.
.sp
If the \fB-v\fR option is specified, the range of each value is also printed.
.RE

.SH EXAMPLES
.LP
\fBExample 1\fR 
Creating a New Tailoring

.sp
.LP
In the following example, \fBcompliance tailor\fR creates a new tailoring. The new tailoring, twomore, is based on the solaris Baseline profile, and enables two of the Recommended profile tests.

.sp
.in +2
.nf

example# \fBcompliance tailor -t twomore\fR
tailoring: No existing tailoring: ’twomore’, initializing
tailoring:twomore> \fBset benchmark=solaris\fR
tailoring:twomore> \fBset profile=Baseline\fR
tailoring:twomore> \fBinclude OSC-47501\fR
tailoring:twomore> \fBinclude OSC-49501\fR
tailoring:twomore> \fBexport\fR
set tailoring=twomore
# version=2014-11-29T04:16:39.000+00:00
set benchmark=solaris
set profile=Baseline
# Passwords require at least one digit
include OSC-47501
# Passwords require at least one uppercase character
include OSC-49501
tailoring:mytailor> \fBexit\fR
.fi
.in -2
.sp

.LP
\fBExample 2\fR 
Deriving a New Tailoring from an Existing Tailoring

.sp
.LP
In the following example, \fBcompliance tailor\fR creates a new tailoring. The new tailoring, twominusone, is derived from the existing tailoring twomore.

.sp
.in +2
.nf

example# \fBcompliance tailor -t twomore\fR
tailoring:twomore> \fBset tailoring=twominusone\fR
tailoring:twominusone> \fBexclude OSC-45000\fR
tailoring:twominusone> \fBexport\fR
set tailoring=twominusone
# version=2014-11-29T04:48:32.000+00:00
set benchmark=solaris
set profile=Baseline
# Passwords allow repeat characters
exclude OSC-45000
# Passwords require at least one digit
include OSC-47501
# Passwords require at least one uppercase character
include OSC-49501
tailoring:mytailor> \fBexit\fR
.fi
.in -2
.sp

.LP
\fBExample 3\fR 
Changing the Name of a Tailoring

.sp
.LP
The following example shows how to change the name of an existing tailoring.

.sp
.in +2
.nf

example# \fBcompliance tailor -t mytailoring\fR
tailoring:mytailoring> \fBset tailoring=mytailoring2\fR
tailoring:mytailoring2> \fBcommit\fR
tailoring:mytailoring2> \fBset tailoring=mytailoring\fR
tailoring:mytailoring> \fBdelete\fR
.fi
.in -2
.sp

.LP
\fBExample 4\fR 
Creating a Tailoring to Run a Single Rule

.sp
.LP
The following example shows how to create a tailoring to evaluate a single rule.

.sp
.in +2
.nf

example# \fBcompliance tailor -t root-role\fR
tailoring:root-role> \fBset benchmark=solaris\fR
tailoring:root-role> \fBexclude -a\fR
tailoring:root-role> \fBinclude OSC-59000\fR
set benchmark=solaris
exclude -a
# root is a role
include OSC-59000
tailoring:root-role> \fBexit\fR
example# \fBcompliance assess -t root-role\fR
Assessment will be named ’root-role.2014-11-28,22:40’
Title root is a role
Rule OSC-59000
Result pass
.fi
.in -2
.sp

.LP
\fBExample 5\fR 
Listing Committed and Installed Tailorings

.sp
.LP
The following example shows how to list the committed and installed tailorings on the system.

.sp
.in +2
.nf

example# \fBcompliance tailor list\fR
mytailoring2
root-role
twominusone
twomore
pci-dss/webserver
solaris/nfs-client
solaris/nfs-server
.fi
.in -2
.sp

.LP
\fBExample 6\fR 
Listing and Adjusting Values

.sp
.LP
The following example shows how to list the values in the benchmark and changing a parameter.

.sp
.in +2
.nf

example# \fBcompliance tailor -t demo\fR
tailoring:demo> \fBvalues\fR
OSCV-37500 (NFS client service): disabled
OSCV-46000 (Minimum password length): 14
OSCV-47000 (Minimum password character difference): 3
OSCV-48000 (Minimum password lower-case characters): 0
OSCV-49000 (Minimum password special): 0
tailoring:demo> \fBvalue OSC-46000=12\fR
.fi
.in -2
.sp

.sp
.LP
The corresponding value entry on the pick screen would appear:

.sp
.in +2
.nf

> _ OSC-46000 Passwords must be at least 14 characters long
    Value OSCV-46000 Minimum password length
       _ 6 _ 8 + 14 _ ___
6 <= _value_ <= 255? 12
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.LP
The following exit values are returned:

.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.RS 5n
.rt
Successful completion.
.RE

.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.RS 5n
.rt
An error occurred.
.RE

.sp
.ne 2
.mk
.na
\fB\fB2\fR\fR
.ad
.RS 5n
.rt
Invalid usage.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp
.TS
tab(
) box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPE
ATTRIBUTE VALUE
_
Availability
security/compliance
_
Interface Stability
Committed
.TE
.sp
.SH SEE ALSO
.sp
.LP
\fBcompliance\fR(8)
.SH NOTES
.sp
.LP
All character data used by \fBcompliance tailor\fR must be in US-ASCII encoding.
.sp
.LP
For tailorings based on existing profiles, the export form represents the differences between the base profile and the tailored profile. If there is no base profile (no profile property is set), the export form commences with an "\fBexclude -a\fR" subcommand so that the remainder of the export file is an affirmative list of the rules to be checked in an assessment; if the objective of the tailoring is to run only a few tests, this can simplify verification of the tailoring.