Oracle Solaris supplies compliance scripts for two standards: Solaris and PCI DSS. Independently, Center for Internet Security (CIS) provides a third-party benchmark for Oracle Solaris. You can also create customized assessments based on security benchmarks and profiles, called tailorings.
The Solaris security policy benchmark is a standard based on the "secure by default" (SBD) default installation of Oracle Solaris.
The benchmark provides two profiles: Baseline and Recommended.
The Baseline profile of the Solaris benchmark closely matches the default SBD installation of Oracle Solaris.
The Recommended profile satisfies organizations with stricter security requirements than the Baseline profile. Systems that comply with the Recommended profile also comply with the Baseline profile.
The features which comprise SBD are described in Using the Secure by Default Configuration in Securing Systems and Attached Devices in Oracle Solaris 11.3 and Oracle Solaris Configurable Security in Oracle Solaris 11.3 Security and Hardening Guidelines.
The Solaris benchmark does not satisfy the requirements of the PCI DSS, CIS, or Defense Information Systems Agency-Security Technical Information Guides (DISA-STIG) benchmarks for Oracle Solaris.
The PCI DSS security policy benchmark is a proprietary information security standard for organizations that handle cardholder information for major debit and credit cards. The standard is defined by the Payment Card Industry Security Standards Council. The intent is to reduce credit card fraud.
An Oracle Solaris system requires configuration to comply with the PCI DSS standard. The compliance report indicates which tests failed and which tests passed, and provides remediation steps. Because some PCI DSS requirements do not correspond directly to software, you must examine the compliance report and then perform additional tasks to comply with the standard. For more information, see Meeting PCI DSS Compliance with Oracle Solaris 11.
The CIS standards organization provides automated compliance checking tools for its Oracle Solaris benchmark. Contact CIS to determine the cost of using CIS tools. You can use them on a Microsoft Windows system for checking Oracle Solaris compliance.
You can create tailorings from security policy benchmarks. Tailorings customize assessments to verify the security policy of particular systems at your site. To create these customized assessments, you include or exclude rules from an existing benchmark, profile, or tailoring. To use a tailoring to assess systems, you must install the source benchmark as well as the tailoring. For more information, see Security Benchmarks and Oracle Solaris and Creating Tailorings From Compliance Benchmarks.