Information
The Solaris 11 OS should be periodically updated to install or upgrade software packages
that will enhance the security, reliability, and performance of the system.
For the Solaris 11 OS, there will be no more software patches issued, but rather security
and other improvements will be installed by updating one or more software packages.
Solution
Run the following command to refresh the package catalog, download and apply any
available updates-# pkg update2 Disable Unnecessary Services While using the most up to date software packages will help to correct any known
vulnerabilities, one of the best ways to protect the system against as yet unreported
vulnerabilities is to disable services that are not required for that particular system's
intended operation or management. This helps to prevent the exploitation of
vulnerabilities that may be discovered at a later date. The actions in this section of the
document provide guidance on what services can be safely disabled and under which
circumstances.The Solaris 11 OS has implemented a 'Secure by Default' (SBD) posture whereby many
services that were once automatically enabled are now either disabled or configured to
listen only for connections originating from the system itself. This default software
configuration greatly simplifies many of the security hardening steps typically undertaken
in previous versions of the operating system. As a result, this section will build upon this
default configuration and focus specifically on those services that are enabled (local-only or
otherwise) that organizations may want to disable.As noted above, several services are not disabled, but rather are placed into a 'local only' mode
where they will accept connections originating only from the local system itself. This was done
to strike a balance between security and out-of-the-box usability. If these services are not
required, it is recommended that they be disabled to guard against potential future vulnerabilities
that can be exploited by users and/or services that are operating locally on the system.