Systems should be kept up to date to ensure that the latest security and operational updates are installed. You can run 'pkg update -n' to check the current state of the system against the configured repositories.

Package signature checking should be globally activated.

Oracle Solaris tags many of its userland binaries to enable Address Space Layout Randomization (ASLR). ASLR randomizes the starting address of key parts of an address space. This security defense mechanism can cause Return Oriented Programming (ROP) attacks to fail when they try to exploit software vulnerabilities. See the sxadm(1M) man page.
Zones inherit this randomized layout for their processes. Because the use of ASLR might not be optimal for all binaries, the use of ASLR is configurable at the zone level and at the binary level.

Files that the Service Management Facility (SMF) creates should be created with 644 file permissions.

ZFS is the default filesystem for Oracle Solaris. On most systems other filesystem types should not be mounted. See the zfs(7FS) man page.

The sticky bit on a directory prevents files in a world-writable directory from being deleted or moved by anyone except the owner of the file, or root. This is useful in directories that are common to many users, such as the /tmp directory.

World-writable files are unprotected files. Modification and removal of a file should be limited to the owner of the file.

Oracle Solaris implements extended attributes as files in an "extended attribute" name space visible only by using extended attribute aware commands. It is possible for attackers or malicious users to hide information in the extended attribute name space. Oracle Solaris currently does not ship any files with extended attributes. See the runat(1) and fsattr(5) man pages.

By default, Oracle Solaris forwards broadcast packets. To reduce the possibility of broadcast flooding, change the default. Note that you are also disabling broadcast pings.

To prevent DOS attacks from spoofed packets, ensure that source-routed packets are not forwarded. The default is not to forward them.

The default value prevents packets from bypassing network security measures. Source-routed packets allow the source of the packet to suggest a path different from the path configured on the router. Note - This parameter might be set to 1 for diagnostic purposes. After diagnosis is complete, return the value to 0.

To prevent the dissemination of information about the network topology, disable these responses if they are currently enabled.

To prevent the dissemination of information about the network topology, disable these responses if they are currently enabled.

The default value removes additional CPU demands on systems and prevents the dissemination of information about the network.

Ensure that the TCP initial sequence number generation parameter complies with RFC 6528 (http://www.ietf.org/rfc/rfc6528.txt).

The coreadm service manages the core files that are produced by processes that terminate abnormally. See the core(4) and coreadm(1M) man pages.

The cron service manages the cron(1M) command, which runs processes that execute commands at specified dates and times. See the at(1), crontab(1), and cron(1M) man pages.

The cryptosvc service manages the use of cryptographic mechanisms from the Cryptographic Framework feature of Oracle Solaris. See the cryptoadm(1M) man page.

The dbus service manages the D-Bus message bus daemon. Programs use the message bus daemon to exchange messages with one another. For example, the Hardware Abstraction Layer (HAL) uses dbus. See the dbus-daemon(1) and hal(5) man pages.

The autofs service manages the mount points for the automount(1M) daemon.

The Hardware Abstraction Layer (HAL) service manages dynamic hardware configuration changes. See the hal(5) man page. This service only runs in the global zone.

The identity:domain service instance manages system identity. See the domainname(1M) man page.

The interrupt balancer (intrd) service monitors the assignments between interrupts and CPUs to ensure optimal performance. See the intrd(1M) man page. This service only runs in the global zone.

The keymap service manages the default configuration of the keyboard. See the kbd(1) man page. This service only runs in the global zone.

The name-service/cache service manages the caching of name service information. See the nscd(1M) man page.

The name-service/switch service manages the databases that contain information about hosts, users, and groups. See the nsswitch.conf(4) man page.

The Oracle Configuration Manager (ocm) service collects configuration information and uploads it to the Oracle repository. See the configCCR(1M) man page.

The platform information and control (picl) service manages the publishing of platform configuration information that can respond to client requests for information about the configuration. See the picld(1M) and prtcpicl(1M) man pages. This service only runs in the global zone.

The system/power service manages the power management configuration of an Oracle Solaris system. See the poweradm(1M) man page. This service only runs in the global zone.

The system/scheduler service manages the process scheduler. See the dispadmin(1M) man page. This service only runs in the global zone.

The system-log service reads and forwards system messages to the appropriate log files or users. See the syslogd(1M) and rsyslogd(1M) man pages.

The utmp service manages a table of processes, detects when a process has terminated, and updates the table. See the utmpd(1M) man page.

The zones service manages the autoboot and graceful shutdown of zones. See the zones(5) and zonecfg(1M) man pages. This service only runs in the global zone.

The zones-install service manages the auto-installation of zones.

The inetd service manages the restarting of inet services. See the inetd(1M) man page.

The rpc/bind service manages the conversion of RPC program numbers to universal addresses. See the rpcbind(1M) man page.

The sendmail-client service manages email on a client. The sendmail-client service needs to be running to ensure delivery of mail to local accounts such as root. See the sendmail(1M) man page.

Check that sendmail listens in local_only mode. This is also called listens on loopback. See the sendmail(1M) and svccfg(1M) man pages

The ssh service manages the Secure Shell (ssh) daemon, which provides secure encrypted communications between two untrusted hosts over an insecure network. By default, ssh is the only network service that can send and receive network packets on a newly-installed Oracle Solaris system. See the sshd(1M) man page.

The service tag OS registry inserter (stosreg) service manages the service tag registry. See the stclient(1M) man page. This service only runs in the global zone.

By default, NIS client software is not installed. NIS is an RPC-based naming service that does not conform to current security requirements, so can be less secure than the LDAP naming service. See the nis(5) and ypbind(1M) man pages.

By default, NIS server software is not installed. NIS is an RPC-based naming service that does not conform to current security requirements, that can be less secure than the LDAP naming service. See the nis(5) and ypserv(1M) man pages.

By default, legacy services such as the r-protocols, rlogin(1) and rsh(1), are not installed. Their services, however, are defined in /etc/pam.d. See the pam.d(4) man page.

By default, the dhcp-server service is not installed. If you are not using this system as a DHCP server, you should not install or enable the service.

Multicast DNS (mDNS) implements DNS in a small network where no conventional DNS server has been installed. DNS Service Discovery (DNS-SD) extends multicast DNS to also provide simple service discovery (network browsing). This service is disabled by default, because while it can ease finding hosts and servers, it can also provide information about the network to malicious users. See the named(1M) and mdnsd(1M) man pages.

This legacy service enables users to display information about local and remote users. By default, this service is not installed as part of solaris-small-server. It is however installed as part of solaris-large-server. This service is almost never needed and either should be removed or at least, disabled. See the fingerd(1M) and finger(1) man pages.

The FTP service provides unencrypted file transfer service and uses plain text authentication. The secure copy program (scp(1)) program should be used instead of FTP as it provides encrypted authentication and file transfer.

This program provides Apache web server services by using the Apache hypertext transfer protocol (http). See the httpd(8) man page.

This legacy service enables users to log in remotely. By default, this service is not installed as part of solaris-small-server. See the rlogind(1M) and rlogin(1) man pages.

This service enables users to log in remotely with Kerberos authentication. By default, this service is not installed. See the rlogind(1M) and rlogin(1) man pages.

This service enables users to log in remotely with Kerberos authentication over an encrypted line. By default, this service is not installed. See the rlogind(1M) and rlogin(1) man pages.

This service manages communication endpoints for the NFS Version 4 protocol. The nfs4cbd(1M) daemon runs on the NFS Version 4 client and creates a listener port for callbacks.

The NFS client service is needed only if the system is mounting files from an NFS server. If the system is not mounting files, the service can be disabled or its package unistalled. See the mount_nfs(1M) man page.

The NFS lock manager supports record locking operations on NFS files in NFSv2 and NFSv3. See the lockd(1M) and sharectl(1M) man pages.

The remote quota server returns quotas for a user of a local file system which is mounted over NFS. The results are used by quota(1M) to display user quotas for remote file systems. The rquotad(1M) daemon is normally invoked by inetd(1M).

The NFS server service handles client file system requests over NFS versions 2, 3, and 4. If this system is not an NFS server, this service should be disabled. See the nfsd(1M) man page.

The NFS status monitor service interacts with lockd(1M) to provide the crash and recovery functions for the locking services on NFS.

This legacy service process listens for reports of incoming mail and notifies interested users. By default, this service is not installed as part of solaris-small-server. See the comsat(1M) man page.

This legacy service responds to DARPA reverse address resolution protocol (RARP) requests. Historically, RARP was used by machines at boot time to discover their Internet Protocol (IP) address. By default, this service is not installed. See the rarpd(1M) and rarp(7P) man pages.

This legacy service provides remote execution facilities with authentication based on user names and passwords. See the in.rexecd(1M) and rexec(3C) man pages.

This legacy service provides common server functionality for the Service Location Protocol (SLP) versions 1 and 2, as defined by IETF in RFC 2165 and RFC 2608. SLP discovers and selects network services. By default, this service is not enabled. See the slpd(1M), slp.conf(4), and slp(7P) man pages.

This legacy program is used to locate the service tag listener. For more information, see the in.stdiscover(1M) man page.

This legacy program is used to listen for discovery probes. See the in.stlisten(1M) man page.

This legacy program enables two-way, screen-oriented communication. For more information, see the talk(1) and mesg(1) man pages.

This legacy service supports the DARPA standard TELNET virtual terminal protocol to connect to a remote system over the TELNET port. By default, this service is not installed. See the telnetd(1M) and telnet(1) man pages.

This legacy service, UNIX to UNIX copy, provides a user interface for requesting file copy operations, typically used when constant connectivity is not possible. By default, this service is not installed. See the uucpd(1M) and uucp(1C) man pages.

The Kerberos administration daemon service runs on the master key distribution center (KDC), which stores the principal and policy databases. This service should not be run on a system that is not a KDC. See the kadmind(1M) man page.

The Kerberos propagation daemon runs on slave KDC servers to update the database from the master KDC. See the kpropd(1M) man page.

The Kerberos key distribution center service manages Kerberos tickets on the master and slave KDCs. See the krb5kdc(1M) man page.

The Kerberos V5 warning messages daemon on Kerberos clients can warn users when their Kerberos tickets are about to expire and can renew the tickets before they expire. By default, this service is disabled. If the system is Kerberos client, then this service should be enabled. See the ktkt_warnd(1M) man page.

The remote shell daemon provides remote execution facilities with authentication based on Kerberos V5 or privileged port numbers. The Secure Shell service, svc:/network/ssh, is the best choice for remote execution. See the rshd(1M) and sshd(1M) man pages.

The remote shell daemon provides remote execution facilities with authentication based on Kerberos V5 or privileged port numbers. The Secure Shell service, svc:/network/ssh, is the best choice for remote execution. See the rshd(1M) and sshd(1M) man pages.

This legacy service provides the server side of the Character Generator Protocol (RFC 864) for TCP. See the in.chargend(1M) man page.

This legacy service provides the server side of the Character Generator Protocol (RFC 864) for UDP. See the in.chargend(1M) man page.

This legacy service provides the server side of the Daytime Protocol (RFC 867) for TCP. See the in.daytimed(1M) man page.

This legacy service provides the server side of the Daytime Protocol (RFC 867) for UDP. See the in.daytimed(1M) man page.

This legacy service provides the server side of the Discard Protocol (RFC 863) for TCP. See the in.discardd(1M) man page.

This legacy service provides the server side of the Discard Protocol (RFC 863) for UDP. See the in.discardd(1M) man page.

This legacy service provides the server side of the Echo Protocol (RFC 862) for TCP. See the in.echod(1M) man page.

This legacy service provides the server side of the Echo Protocol (RFC 862) for UDP. See the in.echod(1M) man page.

This legacy service provides the server side of the Time Protocol (RFC 868) for TCP. See the in.timed(1M) man page.

This legacy service provides the server side of the Time Protocol (RFC 868) for UDP. See the in.timed(1M) man page.

keyserv is a daemon that is used for storing the private encryption keys of each user logged into the system. These encryption keys are used for accessing secure network services such as secure NFS. For more information, see the keyserv(1M) man page.

This legacy service uses an rpc(4) daemon to manage local copies of metadevice diskset information. By default, this service is not installed. See the rpc.metad(1M) man page.

This legacy service manages mediator information for 2-string high availability configurations. See the rpc.metamedd(1M) man page.

This legacy service uses an rpc(4) daemon to manage multi-hosted disks. By default, this service is not installed. See the rpc.metamhd(1M) man page.

This program is the Oracle Solaris RPC server for remote program execution. If this service is enabled, the daemon is started by inetd(1M) whenever a remote execution request is made. See the rpc.rexd(1M) man page.

This legacy service displays performance data from a remote system. By default, this service is not installed. See the rstatd(1M) and rstat(3RPC) man pages.

This legacy service displays information about users on a remote system. By default, this service is not installed. See the rusersd(1M) and rusers(1) man pages.

This program is a server that records the packets sent by spray(1M). See the rpc.sprayd(1M) man page.

This program broadcasts messages to all logged-in users. See the rpc.rwalld(1M) and wall(1M) man pages.

The SMB/CIFS client allows an Oracle Solaris system to natively mount file systems by means of SMB shares from SMB enabled servers such as a Windows system. See the mount_smbfs(1M) man page.

This program provides an object-oriented interface to DBUS-enabled applications. See the avahi-daemon-bridge-dsd(1) man page.

This service supports the CUPS Line Printer Daemon (LPD) for legacy client systems that use the LPD protocol. By default, this service is not installed. See the cups-lpd(8) man page.

The Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment. The net-snmp SNMP daemon processes requests from SNMP management software. See the snmpd(8) and snmp_config(5) man pages.

This program provides fonts to X Window System display servers. The server is usually run by inetd(1M). See the xfs(1) and fsadmin(1) man pages.

The banner informs users who are attempting to access the system that the system is monitored. Note that the pkg:/service/network/ftp package must be installed for ftp to work.

By default, the ssh(1) banner displays the contents of the /etc/issue file. See the issue(4) and sshd_config(4) man pages.

The telnetd(1M) DARPA TELNET protocol server is a legacy service that does not conform to current security requirements. By default, this service is not installed, and systems use the ssh(1M) protocol to communicate.

Remote consoles can be a source of unauthorized access. A system console should be kept physically secure and no unauthorized consoles should be defined. The "consadm -p" command displays alternate consoles across reboots. If none are defined, the command displays no output. See the consadm(1M) man page.

Serial logins can be a source of unauthorized access. Login services should not be enabled for serial ports that are not required to support the purpose of the system.

The root account should not be able to log in remotely, and its actions should be monitored. See the login(1) man page.

FTP file transfers should not be available to all users, and must require qualified users to supply their names and password. In general, system users should not be allowed to use FTP. This check verifies that system accounts are included in the /etc/ftpd/ftpusers file so that they are not allowed to use FTP. See the ftp(1) man page.

The FTP server does not necessarily use the user's system file creation mask. Setting the FTP umask ensures that files transmitted over FTP use a strong file creation umask. See the umask(1) and proftpd(8) man pages.

The timeout parameter for the xscreensaver application specifies the amount of time that the keyboard and mouse can be inactive before a password-protected screensaver appears. See the xscreensaver(1) man page.

Automatic logins are a known security risk for other than public kiosks. By default, GNOME automatic login is disallowed, so users must supply a password. Automatic and Timed login is controlled by the entries in /etc/gdm/custom.conf See the gdm(1M) man page.

rhost-based authentication in Secure Shell allows users to remotely log in without supplying a password. The IgnoreRhosts parameter specifies whether .rhosts and .shosts files can be used rather than a password. See the sshd_config(4) and hosts.equiv(4) man pages.

By default, remote root logins are not permitted because root is a role and roles cannot log in. If root has been changed to a user, the default value of the PermitRootLogin parameter in the /etc/ssh/sshd_config file prevents root from remotely logging in. See the sshd_config(4) man page.

Auditing is a service, svc:/system/auditd, that is enabled by default and should not be disabled. See the audit(1M) man page.

The hash used is determined by values of CRYPT_ALGORITHMS_ALLOW and CRYPT_DEFAULT set in /etc/security/policy.conf file. The value for SHA-256 is "5", and the value for SHA-512 is "6". To confirm properly set, the second field in the /etc/shadow file indicates the algorithm that was used to create the password hash. If the algorithm is set to SHA-256, the entry begins with "$5$" If the algorithm is set to SHA-512, the entry begins with "$6$" See the crypt.conf(4) and policy.conf(4) man pages.

MAXREPEATS in the `/etc/default/passwd file allows users to repeat characters in passwords. The default is 0, which permits repeated characters. Any other value indicates how many characters can be repeated. See the passwd(1) man page.

WHITESPACE in the /etc/default/login file indicates whether passwords can include the space character. The space character provides some protection against dictionary-based password attacks. The default is YES. See the passwd(1) man page.

MINALPHA in the /etc/default/passwd file indicates the minimum number of alphabetic characters that passwords must contain. Alphabetic characters provide more values than numeric or special characters, so allow for more variation. The default value is 2. See the passwd(1) man page.

MINDIFF in the /etc/default/passwd file indicates the minimum difference a password must have from the previous password. The default is 3. See the passwd(1) man page.

MINNONALPHA in the /etc/default/passwd file indicates the minimum number of non-alphabetic characters that a password must contain. Non-alphabetic characters provide some protection against dictionary-based password attacks. The default is 0. A value of at least 1 is recommended. See the passwd(1) man page.

DICTIONBDIR in the /etc/default/passwd file points to the /var/passwd dictionary by default. A password dictionary can strengthen users' password selection by preventing the use of common words or letter combinations. The passwd command performs dictionary lookups in the dictionary that DICTIONBDIR indicates. See the passwd(1) man page.

DISABLETIME in the /etc/default/login file is set to 20 by default. Any value greater than zero indicates the seconds before a login prompt appears after RETRIES failed login attempts. This delay can mitigate rapid-fire, brute force attacks on passwords. See the login(1) man page.

SLEEPTIME in the /etc/default/login file is set to 4 by default. This number indicates the number of seconds that elapse before the "login incorrect" message appears after an incorrect password is typed. The maximum number is 5. This delay can mitigate rapid-fire, brute force attacks on passwords. See the login(1) man page.

NAMECHECK in the /etc/default/passwd file indicates whether login names are checked in the files naming service. The default, YES, prevents malicious users from using a login name that is not in a local file. See the passwd(1) man page.

PASSREQ in the /etc/default/login file indicates whether logins require passwords. Passwords are required for defense against computer attacks. The default is YES. See the login(1) man page.

Oracle Solaris is installed with correctly configured system accounts. These accounts should not be modified.

Oracle Solaris is installed with correctly configured system accounts. These accounts should not be modified.

By default, root is a role. Roles cannot log in directly. Rather, a user logs in and then assumes the root role, thus providing an audit trail of who is operating as root. See the roles(1), user_attr(4), and usermod(1M) man pages.

The UID of 0 has superuser privileges. Only root should have those privileges.

The second field in the /etc/shadow file indicates the algorithm that was used to create the password hash. If the entry begins with "$5$", then password is hashed with SHA-256 algorithm. If the entry begins with "$6$", then password is hashed with SHA-512 algorithm. See the crypt.conf(4) and policy.conf(4) man pages.

The root PATH variable should not include the current directory (.), or any paths not related to administration.

The second field in the /etc/shadow file contains passwords. When creating roles, you can easily forget to assign a password. See the shadow(4) and passwd(1) man pages.

Users are assigned to at least one group and can be assigned to secondary groups. All groups must be defined in the /etc/group file.

Groups, like users, are unique. Duplicate group IDs must be removed.

Groups, like users, are unique. Duplicate group names must be removed.

Users are identified by IDs, which must be unique. Duplicate user IDs must be removed.

Users log in by name, which must be unique. Duplicate user names must be removed.

UMASK in the /etc/default/login file indicates the permissions on user files at creation. This value should not allow group or world write. The default value is 022, which allows group and world to read files owned by a user. See the login(1) man page.

Users need a place to store and create files. A home directory enables a user to place configuration files, such as the .profile file, and ongoing work in a directory that is owned by the user.

Users need a place to store and create files. A home directory enables a user to place configuration files, such as the .profile file, and ongoing work in a directory that is owned by the user.

The user must own the user's home directory.

.rhosts files can provide easy access to remote hosts by bypassing the password requirement. These files should be removed.

.forward files can provide easy transport of information outside the firewall or outside the user's home directory.

The .netrc file contains data for logging in to a remote host over the network for file transfers by FTP.

The .netrc file contains login credentials to remote systems for file transfers by FTP. The permissions should be set to disallow read access by group and others. See the chmod(1) man page.

Hidden files in a user's home directory should be owned by the user. Directories should allow read-write-execute (rwx) permissions to the user only. Files should allow read-write (rw) permissions to the user only.