| 1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.255.255.0 with a network block in use at your organization. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3 Configure SSH - Check if Protocol is set to 2 and not commented for client. | |
| 2.1 Disable standard services - Comment service time in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.2 Only enable telnet if absolutely necessary - Uncomment service telnet in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.3 Only enable FTP if absolutely necessary - Uncomment service ftp in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.4 Only enable rlogin/rsh/rcp if absolutely necessary - Uncomment service shell in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.5 Only enable TFTP if absolutely necessary - Uncomment service tftp in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.6 Only enable printer service if absolutely necessary - Uncomment service printer in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.7 Only enable rquotad if absolutely necessary - Uncomment service rquotad/1 in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.8 Only enable CDE-related daemons if absolutely necessary - Uncomment service 100083 in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.9 Only enable Solaris Volume Manager daemons if absolutely necessary - Uncomment service 100229 in /etc/inet/inetd.conf | CONFIGURATION MANAGEMENT |
| 2.10 Only enable removable media daemon if absolutely necessary - Uncomment service 100155 in /etc/inet/inetd.conf (Solaris 9 or later) | CONFIGURATION MANAGEMENT |
| 2.11 Only enable Kerberos-related daemons if absolutely necessary - Uncomment service 100134 in /etc/inet/inetd.conf (Solaris 8 or later) | CONFIGURATION MANAGEMENT |
| 2.12 Only enable GSS daemon if absolutely necessary - Uncomment service 100234 in /etc/inet/inetd.con (Solaris 7 or later) | CONFIGURATION MANAGEMENT |
| 3.1 Disable login: prompts on serial ports - Check if x is added to the flag field for ttyb | CONFIGURATION MANAGEMENT |
| 3.2 Set daemon umask - Check if CMASK is set to 022 in /etc/default/init (Solaris 8 or later) | ACCESS CONTROL |
| 3.3 Disable inetd if possible, Check if newinetsvc contains grep statement to count lines in inetd.conf | CONFIGURATION MANAGEMENT |
| 3.5 Disable boot services if possible - Ensure file /etc/rc3.d/S16boot.server does not exist (Solaris 9) | CONFIGURATION MANAGEMENT |
| 3.6 Disable other standard boot services - Ensure file /etc/rc2.d/S72autoinstall does not exist. | CONFIGURATION MANAGEMENT |
| 3.7 Only enable Windows-compatibility servers if absolutely necessary - Ensure file /etc/rc3.d/S90samba does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.8 Only enable NFS server processes if absolutely necessary - Ensure file /etc/rc3.d/S15nfs.server does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.9 Only enable NFS client processes if absolutely necessary - Ensure file /etc/rc2.d/S73nfs.client does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.10 Only enable automount daemon if absolutely necessary - Ensure file /etc/rc2.d/S74autofs does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.11 Only enable other RPC-based services if absolutely necessary - Ensure file /etc/rc2.d/S71rpc does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.12 Only enable Kerberos server daemons if absolutely necessary - Ensure file /etc/rc3.d/S13kdc.master does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.13 Only enable directory server if absolutely necessary - Ensure file /etc/rc2.d/S72directory does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.14 Only enable the LDAP cache manager if absolutely necessary - Ensure file /etc/rc2.d/S71ldap.client does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.15 Only enable the printer daemons if absolutely necessary - Ensure file /etc/rc2.d/S80lp does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.16 Only enable the volume manager if absolutely necessary - Ensure file /etc/rc2.d/S92volmgt does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.17 Only enable GUI login if absolutely necessary - Ensure file /etc/rc2.d/S99dtlogin does NOT exist (Solaris 2.6 or later) | CONFIGURATION MANAGEMENT |
| 3.18 Only enable Web server if absolutely necessary - Ensure file /etc/rc3.d/S50apache does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.19 Only enable SNMP if absolutely necessary - Ensure file /etc/rc3.d/S76snmpdx does NOT exist. | CONFIGURATION MANAGEMENT |
| 3.20 Only enable DHCP server if absolutely necessary - Ensure file /etc/rc3.d/S34dhcp does NOT exist. | CONFIGURATION MANAGEMENT |
| 4.1 Restrict core dumps to protected directory - Check if COREADM_GLOB_PATTERN is set to /var/core/core_%n_%f_%u_%g_%t_%p | ACCESS CONTROL |
| 4.2 Enable stack protection - Check if 'noexec_user_stack' is set to 1 in /etc/system (Solaris 2.6 or later) | SYSTEM AND INFORMATION INTEGRITY |
| 4.3 Restrict NFS client requests to privileged ports - Check if 'nfssrv:nfs_portmon' is set to 1 in /etc/system. | CONFIGURATION MANAGEMENT |
| 4.4 Network Parameter Modifications - Check if 'ip_forward_src_routed' is set to 0 in /etc/init.d/netconfig. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.6 Use better TCP sequence numbers - Check if 'TCP_STRONG_ISS' is set to 2 in /etc/init.d/netconfig. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Turn on inetd tracing, Check if 'ENABLE_CONNECTION_LOGGING' is set to YES in /etc/default/inetd. | AUDIT AND ACCOUNTABILITY |
| 5.2 Turn on additional logging for FTP daemon - | |
| 5.2 Turn on additional logging for FTP daemon - Check if '-l' & '-d' flags are set for ftpd in /etc/inet/inetd.conf. | CONFIGURATION MANAGEMENT |
| 5.2 Turn on additional logging for FTP daemon - Check if file /etc/inet/inetd.conf exists. | |
| 5.3 Capture FTP and inetd Connection Tracing Info - Check if 'daemon.debug' is set to /var/log/connlog | |
| 5.4 Capture messages sent to syslog AUTH facility - Check if 'auth.info' is set to /var/log/authlog | |
| 5.5 Create /var/adm/loginlog - Check if /var/adm/loginlog permissions are OK. | |
| 5.6 Turn on cron logging - Check if 'CRONLOG' is set to YES in /etc/default/cron. | AUDIT AND ACCOUNTABILITY |
| 5.7 Enable system accounting - Check if system accounting '/usr/bin/su' is configured correctly. | AUDIT AND ACCOUNTABILITY |
| 5.8 Enable kernel-level auditing | AUDIT AND ACCOUNTABILITY |
| 5.9 Confirm permissions on system log files, should pass if /var/log/syslog permissions are OK. | |
| 6.1 Add 'logging' option to root file system - Check if 'logging' is set for root file system. | |
