Reviewing Security Prior to Hardening
In some cases, you may find it useful to review the security posture on deployed systems before hardening them. For example, if you assume responsibility for deployed systems that another person administrated, inspect the state of the systems so that you know their posture and, if necessary, can bring them into compliance with the same security profiles used on your other systems.
Another example that commonly applies is when a consultant, such as a Sun Professional Services consultant, wants to determine the security posture of a deployed system for a customer before securing the system. In this scenario, the consultant typically executes one of the Solaris Security Toolkit security profiles in audit mode to determine what changes would be made to a system without actually making the changes. Of course, without customizing the security profile, the result is a high-water mark, and the output might contain false-positive vulnerabilities. However, consultants may find the output useful as a starting point from which to develop and implement custom security profiles for the customer's systems.