Consider the following list of guidelines when you develop a security policy for your site.
Update your Oracle Solaris systems to the latest SRU in a timely manner.
Perform package verification and compliance checks regularly.
Perform file verification regularly.
Minimize the number of administration IDs.
Eliminate third-party setuid and setgid programs. Use rights profiles and roles to execute programs and to prevent misuse.
Encrypt sensitive data on disk and archive media to avoid breaches if hardware or media is lost or stolen.
Encrypt network traffic with Kerberos, TLS, or IPsec.
See Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3 and Securing the Network in Oracle Solaris 11.3.
Isolate appropriate services or applications in different zones or virtual machines.
Protect encryption keys and certificates against exposure or loss.
See Managing Encryption and Certificates in Oracle Solaris 11.3.
Restrict access to shared file systems and network servers to known hosts, users, or network groups which require access.
See Managing Secure Shell Access in Oracle Solaris 11.3 and Managing Network File Systems in Oracle Solaris 11.3.
Assign privileges to programs only when they need the privileges to do their work, and only when the programs have been scrutinized and proven to be trustworthy in their use of privilege. Review the privileges on existing Oracle Solaris programs as a guide to setting privileges on new programs.
If possible, assign at least two individuals to administer Oracle Solaris systems. Assign one person security-related responsibilities, such as assigning passwords and clearances. Assign the other person the System Administrator rights profile for system management tasks.
Restrict operating manuals and administrator documentation to individuals with a valid need for access to that information.
Document file system damage, and analyze all affected files for potential security policy violations.
Report and document unusual or unexpected behavior of any Oracle Solaris software, and determine the cause.
Review and analyze audit information regularly. Investigate any irregular events to determine the cause of the event.
Manually record system reboots, power failures, and shutdowns in a site log.
Establish a regular backup routine.