STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 4 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Solaris 11 X86 Security Technical Implementation Guide

Version

V3R5

Release Date

Feb 19, 2026

SCAP Benchmark ID

Solaris_11_X86_STIG

Total Checks

216

Tags

other

CAT I: 14CAT II: 152CAT III: 50

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (216)

V-216011MEDIUMThe audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.V-216014MEDIUMThe operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.V-216015MEDIUMThe audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.V-216016MEDIUMThe operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.V-216018MEDIUMAudit records must include what type of events occurred.V-216019MEDIUMAudit records must include when (date and time) the events occurred.V-216020MEDIUMAudit records must include where the events occurred.V-216021MEDIUMAudit records must include the sources of the events that occurred.V-216022MEDIUMAudit records must include the outcome (success or failure) of the events that occurred.V-216023MEDIUMThe audit system must be configured to audit file deletions.V-216024MEDIUMThe audit system must be configured to audit account creation.V-216025MEDIUMThe audit system must be configured to audit account modification.V-216026MEDIUMThe operating system must automatically audit account disabling actions.V-216027MEDIUMThe operating system must automatically audit account termination.V-216028MEDIUMThe operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.V-216029MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-216030LOWThe audit system must be configured to audit login, logout, and session initiation.V-216033LOWThe audit system must be configured to audit failed attempts to access files and programs.V-216034LOWThe operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.V-216035LOWThe auditing system must not define a different auditing level for specific users.V-216038HIGHThe operating system must alert designated organizational officials in the event of an audit processing failure.V-216041MEDIUMThe operating system must shut down by default upon audit failure (unless availability is an overriding concern).V-216042MEDIUMThe operating system must protect audit information from unauthorized access.V-216045MEDIUMThe System packages must be up to date with the most recent vendor updates and security fixes.V-216047MEDIUMThe operating system must protect audit tools from unauthorized access.V-216048MEDIUMThe operating system must protect audit tools from unauthorized modification.V-216049MEDIUMThe operating system must protect audit tools from unauthorized deletion.V-216050MEDIUMSystem packages must be configured with the vendor-provided files, permissions, and ownerships.V-216051LOWThe finger daemon package must not be installed.V-216052MEDIUMThe legacy remote network access utilities daemons must not be installed.V-216053HIGHThe NIS package must not be installed.V-216054LOWThe pidgin IM client package must not be installed.V-216055HIGHThe FTP daemon must not be installed unless required.V-216056HIGHThe TFTP service daemon must not be installed unless required.V-216057HIGHThe telnet service daemon must not be installed unless required.V-216058LOWThe UUCP service daemon must not be installed unless required.V-216059MEDIUMThe rpcbind service must be configured for local only services unless organizationally defined.V-216060MEDIUMThe VNC server package must not be installed unless required.V-216062MEDIUMThe operating system must be configured to provide essential capabilities.V-216064MEDIUMAll run control scripts must have mode 0755 or less permissive.V-216065MEDIUMAll run control scripts must have no extended ACLs.V-216066MEDIUMRun control scripts executable search paths must contain only authorized paths.V-216067MEDIUMRun control scripts library search paths must contain only authorized paths.V-216068MEDIUMRun control scripts lists of preloaded libraries must contain only authorized paths.V-216069MEDIUMRun control scripts must not execute world writable programs or scripts.V-216070MEDIUMAll system start-up files must be owned by root.V-216071MEDIUMAll system start-up files must be group-owned by root, sys, or bin.V-216072MEDIUMSystem start-up files must only execute programs owned by a privileged UID or an application.V-216073MEDIUMAny X Windows host must write .Xauthority files.V-216074MEDIUMAll .Xauthority files must have mode 0600 or less permissive.V-216075MEDIUMThe .Xauthority files must not have extended ACLs.V-216076HIGHX displays must not be exported to the world.V-216077MEDIUM.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.V-216078MEDIUMThe .Xauthority utility must only permit access to authorized hosts.V-216079MEDIUMX Window System connections that are not required must be disabled.V-216080MEDIUMThe graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.V-216081LOWGeneric Security Services (GSS) must be disabled.V-216082LOWSystems services that are not required must be disabled.V-216083MEDIUMTCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.V-216086MEDIUMUser passwords must be changed at least every 60 days.V-216087LOWThe operating system must automatically terminate temporary accounts within 72 hours.V-216088MEDIUMThe operating system must enforce minimum password lifetime restrictions.V-216089MEDIUMUser passwords must be at least 15 characters in length.V-216091MEDIUMThe system must require at least eight characters be changed between the old and new passwords during a password change.V-216092MEDIUMThe system must require passwords to contain at least one uppercase alphabetic character.V-216093MEDIUMThe operating system must enforce password complexity requiring that at least one lowercase character is used.V-216094MEDIUMThe system must require passwords to contain at least one numeric character.V-216095MEDIUMThe system must require passwords to contain at least one special character.V-216096LOWThe system must require passwords to contain no more than three consecutive repeating characters.V-216097MEDIUMThe system must not have accounts configured with blank or null passwords.V-216098MEDIUMSystems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.V-216099MEDIUMThe system must disable accounts after three consecutive unsuccessful login attempts.V-216100MEDIUMThe delay between login prompts following a failed login attempt must be at least 4 seconds.V-216101MEDIUMThe system must require users to re-authenticate to unlock a graphical desktop environment.V-216102MEDIUMGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.V-216103MEDIUMThe system must prevent the use of dictionary words for passwords.V-216105MEDIUMThe operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.V-216106MEDIUMThe default umask for system and users must be 077.V-216107LOWThe default umask for FTP users must be 077.V-216108LOWThe value mesg n must be configured as the default setting for all users.V-216109MEDIUMUser accounts must be locked after 35 days of inactivity.V-216112MEDIUMLogin services for serial ports must be disabled.V-216113MEDIUMThe nobody access for RPC encryption key storage service must be disabled.V-216114MEDIUMX11 forwarding for SSH must be disabled.V-216115LOWConsecutive login attempts for SSH must be limited to 3.V-216116MEDIUMThe rhost-based authentication for SSH must be disabled.V-216117MEDIUMDirect root account login must not be permitted for SSH access.V-216118HIGHLogin must not be permitted with empty/null passwords for SSH.V-216119LOWThe operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.V-216120MEDIUMHost-based authentication for login-based services must be disabled.V-216121MEDIUMThe use of FTP must be restricted.V-216122HIGHThe system must not allow autologin capabilities from the GNOME desktop.V-216123MEDIUMUnauthorized use of the at or cron capabilities must not be permitted.V-216124MEDIUMLogins to the root account must be restricted to the system console only.V-216125LOWThe operating system, upon successful logon, must display to the user the date and time of the last logon (access).V-216126MEDIUMThe operating system must provide the capability for users to directly initiate session lock mechanisms.V-216127MEDIUMThe operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.V-216128HIGHThe operating system must not allow logins for users with blank passwords.V-216129MEDIUMThe operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.V-216130LOWThe operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.V-216131LOWThe system must disable directed broadcast packet forwarding.V-216132LOWThe system must not respond to ICMP timestamp requests.V-216133LOWThe system must not respond to ICMP broadcast timestamp requests.V-216134LOWThe system must not respond to ICMP broadcast netmask requests.V-216135MEDIUMThe system must not respond to broadcast ICMP echo requests.V-216136LOWThe system must not respond to multicast echo requests.V-216137LOWThe system must ignore ICMP redirect messages.V-216138MEDIUMThe system must set strict multihoming.V-216139LOWThe system must disable ICMP redirect messages.V-216140LOWThe system must disable TCP reverse IP source routing.V-216141MEDIUMThe system must set maximum number of half-open TCP connections to 4096.V-216142LOWThe system must set maximum number of incoming connections to 1024.V-216143MEDIUMThe system must disable network routing unless required.V-216144LOWThe system must implement TCP Wrappers.V-216150MEDIUMThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).V-216157LOWThe system must prevent local applications from generating source-routed packets.V-216158LOWThe operating system must display the DOD-approved system use notification message or banner before granting access to the system for general system logons.V-216159LOWThe operating system must display the DOD-approved system use notification message or banner for SSH connections.V-216160LOWThe GNOME service must display the DOD-approved system use notification message or banner before granting access to the system.V-216161LOWThe FTP service must display the DOD-approved system use notification message or banner before granting access to the system.V-216162MEDIUMThe operating system must terminate all sessions and network connections when nonlocal maintenance is completed.V-216163MEDIUMThe operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.V-216164MEDIUMWireless network adapters must be disabled.V-216165MEDIUMThe operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.V-216173MEDIUMThe operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.V-216174MEDIUMThe operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.V-216176LOWThe operating system must protect the confidentiality and integrity of information at rest.V-216178LOWThe operating system must use cryptographic mechanisms to protect the integrity of audit information.V-216180MEDIUMThe sticky bit must be set on all world writable directories.V-216181MEDIUMPermissions on user home directories must be 750 or less permissive.V-216182MEDIUMPermissions on user . (hidden) files must be 750 or less permissive.V-216183MEDIUMPermissions on user .netrc files must be 750 or less permissive.V-216184HIGHThere must be no user .rhosts files.V-216185MEDIUMGroups assigned to users must exist in the /etc/group file.V-216186LOWUsers must have a valid home directory assignment.V-216187LOWAll user accounts must be configured to use a home directory that exists.V-216188MEDIUMAll home directories must be owned by the respective user assigned to it in /etc/passwd.V-216189MEDIUMDuplicate User IDs (UIDs) must not exist for users within the organization.V-216190MEDIUMDuplicate UIDs must not exist for multiple non-organizational users.V-216191MEDIUMDuplicate Group IDs (GIDs) must not exist for multiple groups.V-216192MEDIUMReserved UIDs 0-99 must only be used by system accounts.V-216193MEDIUMDuplicate user names must not exist.V-216194MEDIUMDuplicate group names must not exist.V-216195MEDIUMUser .netrc files must not exist.V-216196MEDIUMThe system must not allow users to configure .forward files.V-216197MEDIUMWorld-writable files must not exist.V-216198LOWAll valid SUID/SGID files must be documented.V-216199MEDIUMThe operating system must have no unowned files.V-216200LOWThe operating system must have no files with extended attributes.V-216201MEDIUMThe root account must be the only account with GID of 0.V-216202LOWThe operating system must reveal error messages only to authorized personnel.V-216204MEDIUMThe operator must document all file system objects that have non-standard access control list settings.V-216205HIGHThe operating system must be a supported release.V-216206MEDIUMThe system must implement non-executable program stacks.V-216207LOWAddress Space Layout Randomization (ASLR) must be enabled.V-216208MEDIUMProcess core dumps must be disabled unless needed.V-216209MEDIUMThe system must be configured to store any process core dumps in a specific, centralized directory.V-216210MEDIUMThe centralized process core dump data directory must be owned by root.V-216211MEDIUMThe centralized process core dump data directory must be group-owned by root, bin, or sys.V-216212MEDIUMThe centralized process core dump data directory must have mode 0700 or less permissive.V-216213MEDIUMKernel core dumps must be disabled unless needed.V-216214MEDIUMThe kernel core dump data directory must be owned by root.V-216215MEDIUMThe kernel core dump data directory must be group-owned by root.V-216216MEDIUMThe kernel core dump data directory must have mode 0700 or less permissive.V-216217LOWSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. (Intel)V-216218LOWThe system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel).V-216219MEDIUMThe operating system must implement transaction recovery for transaction-based systems.V-216220HIGHSNMP default community strings and passphrases must be changed from vendor defaults.V-216221MEDIUMA file integrity baseline must be created, maintained, and reviewed at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.V-216223MEDIUMDirect logins must not be permitted to shared, default, application, or utility accounts.V-216224LOWThe system must not have any unnecessary accounts.V-216225MEDIUMThe operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.V-216226MEDIUMThe operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.V-216227MEDIUMThe operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.V-216228MEDIUMThe operating system must prevent the execution of prohibited mobile code.V-216229MEDIUMThe operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.V-216231MEDIUMThe operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.V-216233MEDIUMThe operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.V-216234LOWAll manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.V-216237MEDIUMThe operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.V-216238LOWThe /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.V-216239LOWThe limitpriv zone option must be set to the vendor default or less permissive.V-216240MEDIUMThe systems physical devices must not be assigned to non-global zones.V-216241LOWThe audit system must identify in which zone an event occurred.V-216242LOWThe audit system must maintain a central audit trail for all zones.V-216243MEDIUMThe operating system must monitor for unauthorized connections of mobile devices to organizational information systems.V-219988MEDIUMThe audit system must support an audit reduction capability.V-219989MEDIUMThe audit system records must be able to be used by a report generation capability.V-219990MEDIUMThe operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.V-219991MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-219992MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.V-219993MEDIUMThe audit system must alert the SA when the audit storage volume approaches its capacity.V-219994HIGHThe audit system must alert the System Administrator (SA) if there is any type of audit failure.V-219995MEDIUMThe operating system must allocate audit record storage capacity.V-219996HIGHThe operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.V-219997MEDIUMThe system must verify that package updates are digitally signed.V-219998MEDIUMThe operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.V-219999MEDIUMThe operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.V-220000MEDIUMThe operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.V-220001MEDIUMThe system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.V-220003MEDIUMThe operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.V-220004MEDIUMThe operating system must protect the integrity of transmitted information.V-220005MEDIUMThe operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.V-220006MEDIUMThe operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.V-220007MEDIUMThe operating system must protect the confidentiality of transmitted information.V-220008MEDIUMThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.V-220009MEDIUMThe operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.V-220010LOWThe operating system must employ cryptographic mechanisms to protect information in storage.V-220011LOWThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.V-220012MEDIUMThe operating system must protect the integrity of transmitted information.V-220013MEDIUMThe operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.V-220014MEDIUMThe operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).V-220015MEDIUMThe operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).V-224672MEDIUMThe operating system must prevent non-privileged users from circumventing malicious code protection capabilities.V-224673MEDIUMThe operating system must identify potentially security-relevant error conditions.V-233301MEDIUMThe sshd server must bind the X11 forwarding server to the loopback address.