Preparing for 2.2.0 release

1 files changed, 103 insertions, 44 deletions

diff --git a/CHANGELOG b/CHANGELOG
index d8027cbf..07465e72 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,7 +5,8 @@
 
 ================================================================================
 
-  Author:                   Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+  Author:                   Michael Boelen   (2007-2013)
+                            CISOfy           (2013-2016)
   Description:              Security and system auditing tool
   Website:                  https://cisofy.com/lynis/
   GitHub:                   https://github.com/CISOfy/lynis
@@ -17,18 +18,43 @@
 
 ================================================================================
 
-=  Lynis 2.1.x (development version for 2.2.x)  =
-
-*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE ***
+=  Lynis 2.2.0 (pre-release) =
 
 We are proud to present this new release of Lynis. It is a major upgrade, and the
 result of many months of work. This version includes new features and tests, and
-many small enhancements, to improve the tool. We encourage all to test and
-upgrade to this latest release.
+many small enhancements. We encourage all to test and upgrade to this latest
+release.
+
+* Highlights
+------------
+The biggest change in this release is the optimization of several functions. It
+allows for better detection, and dealing with the quirks, of every single
+operating system. Some functions were fortified to better handle unexcepted
+results, like missing a particular binary, or not receiving a hostname.
+
+This release enables also tests to be shorter, by adding new functions. Some
+functions were renamed or slightly changed, to provide more value to the tooling.
+Another big change in this release is a wide set of optimizations and quality
+testing. Outdated pieces were removed, or rewritten, to support features seen in
+newer distributions.
+
+On the level of compliance adjustments have been made to start supporting more
+in-depth testing for this. Ideal for companies who have a particular compliance
+need, or want to better enforce the system hardening levels of their systems.
+
+Last but not least, many small changes make this software easier to use. On
+our website we added new guides to provide help and support.
+
+We like to specifically thank Kamil Boratyński, Steve Bosek, and Eric Light.
+Their contributions helped us greatly shaping this release.
+
+
+Below are the changes per category:
 
 * Automation tools
 ------------------
-CFEngine detection has been further extended. Additional logging and reporting of automation tools.
+Detection for CFEngine has been improved. Also additional logging and reporting
+of automation tools.
 
 * Authentication
 ----------------
@@ -40,11 +66,18 @@ will be gathered and added to the report [AUTH-9234].
 New plugin is introduced to analyze PAM settings. It including items like:
 
 - Two-factor authentication methods
-- Minimum password length, password strength and protection status against brute force cracking
+- Minimum password length, password strength and protection status against brute
+  force cracking
 - Password history
 
 Report option: auth_failed_logins_logged
 
+* Boot
+------
+Added detection for Mac OSX boot loader. Initial support to test UEFI settings,
+including Secure Boot option. Options boot_uefi_booted and
+boot_uefi_booted_secure added to report file
+
 * Compliance
 ------------
 This release prepares for upcoming extensions to assist with compliance testing.
@@ -63,9 +96,11 @@ to these particular standards.
 
 * DNS and Name services
 -----------------------
-Support added for Unbound DNS caching tool [NAME-4034]
-Configuration check for Unbound [NAME-4036]
-Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
+Support added for Unbound DNS caching tool [NAME-4034], including a configuration
+check [NAME-4036].
+
+Record if a name caching utility is being used like nscd or Unbound. Also logging
+to report as field name_cache_used
 
 * Firewalls
 -----------
@@ -84,34 +119,43 @@ are any rules configured.
 
 Renamed FIRE-4511 to FIRE-4502.
 
+* File Integrity Monitoring
+---------------------------
+Test added to include osqueryd as a supported tool.
+
 * Hardware
 ----------
 Detection of firewire is enhanced (both ohci and core detected).
 
 * Logging
 ---------
-Extended the test syslog-ng logging to remote systems
+Extended the test syslog-ng logging to remote systems. The log Lynis itself
+produces is also enhanced, to be more detailed for several tests.
 
 * Malware
 ---------
-ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
+ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners
+are also logged to the report.
 
 * Mount points
 --------------
-FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
+FILE-6374 is expanded to test for multiple common mount points and define best
+practice mount flags.
 
 * Networking
 ------------
-NETW-2600 collects IPv6 configuration and best practices for Linux.
-NETW-3004 now collects network interface names from most common operating systems.
+Best practices for IPv6 configuration on Linux are now collected. Also network
+interface names from most operating systems.
 
 * Operating systems
 -------------------
-Improved support for Debian 8 systems. Detection for VMware release has been added.
-Boot loader exception is not longer displayed when only a subset of tests is performed.
-FreeBSD systems can now use service command to gather information about enabled services.
+Improved support for Debian 8 systems. Detection for VMware release has been
+added. Boot loader exception is not longer displayed when only a subset of tests
+is performed. FreeBSD systems can now use service command to gather information
+about enabled services.
 
-Support for boot loader detection on Mac OS X
+Several paths have been added to allow better detection on systems running
+FreeBSD and others.
 
 * Passwords
 -----------
@@ -119,7 +163,12 @@ AUTH-9286 change has been extended to both capture minimum and password age.
 
 * Proxy support
 ---------------
-A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS proxy.
+A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS
+proxy.
+
+* Service Managers
+------------------
+SystemV init is now detected.
 
 * Software and Packages
 -----------------------
@@ -130,18 +179,16 @@ PKGS-7354 (integrity tests).
 
 * SSH
 -----
-Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
-
-* UEFI and Secure Boot
-----------------------
-Initial support to test UEFI settings, including Secure Boot option
-Options boot_uefi_booted and boot_uefi_booted_secure added to report file
+Multiple configuration tests of SSH are now merged into SSH-7408. This enables
+easier testing later on and reduces repetition.
 
 * Virtual machines and Containers
 ---------------------------------
-Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
-like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
-Check file permissions for Docker files, like socket file [CONT-8108]
+Detection of virtual machines has been extended in several ways. Now VMware tools
+(vmtoolsd) are detected and machine state is improved with tools like Puppet
+Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it
+before gave error as it found directory /usr/libexec/docker. Check file
+permissions for Docker files, like the socket file [CONT-8108].
 
 * Individual tests
 ------------------
@@ -149,27 +196,35 @@ Check file permissions for Docker files, like socket file [CONT-8108]
 [AUTH-9230] Removed test as it was merged into AUTH-9228
 [AUTH-9234] Support for AIX added
 [AUTH-9288] Test for expired passwords
-[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
+[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also
+            includes improved logging, and support for other operating systems.
+[BOOT-5104] Rewrote test to detect SysV init and other service managers
 [BOOT-5106] New test to test boot loader on Mac OS X
 [BOOT-5180] Only gets executed if runlevel 2 is found
 [CONT-8108] New test to test for Docker file permissions
+[DBS-1816]  Removed suggestion
+[FILE-6310] Add more details to test when a symlinked path has been found
 [FILE-6410] Added /var/lib/locatedb as search path
+[FINT-4338] Added osquery test
 [FIRE-4508] Added chains test for iptables
 [FIRE-4511] Renamed to FIRE-4502
 [FIRE-4536] Support for nftables detection
 [FIRE-4538] Basic configuration check for for nftables
 [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
+[HTTP-6622] Determine Apache version and log to report
+[HTTP-6624] Ignore wildcard and default entries as ServerName for Apache
 [LOGG-2154] Additional support for log destinations for syslog-ng
-[PKGS-7308] Split package name and version for RPM based package manager
-[PKGS-7350] Support for querying installed packages via Fedora DNF package manager (Dandified YUM)
-[PKGS-7352] Query security notices for DNF
-[PKGS-7354] Perform integrity tests for package database (DNF)
 [MALW-3278] New test to detect LMD (Linux Malware Detect)
+[NAME-4406] Changed logic for localhost check and more detailed logging
 [NETW-2600] IPv6 configuration check for Linux
 [NETW-3032] Added ARP monitoring software test
+[PKGS-7308] Split package name and version for RPM based package manager
+[PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM)
+[PKGS-7352] Query security notices for DNF
+[PKGS-7354] Perform integrity tests for package database (DNF)
 [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
-[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
-[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable
+[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured
+[TIME-3170] New test to check NTP configuration files
 
 * Functions
 -----------
@@ -183,7 +238,8 @@ Check file permissions for Docker files, like socket file [CONT-8108]
 [RandomString]           Creates a random string of characters
 [RemoveTempFiles]        Remove any created temporary files
 [Report]                 Replaces the older report function
-[ReportSuggestion]       Allows two additional parameters to store details (text and external reference to a solution)
+[ReportSuggestion]       Allows two additional parameters to store details
+                         (text and external reference to a solution)
 [ReportWarning]          Like ReportSuggestion() has additional parameters
 [ShowComplianceFinding]  Display compliance findings
 [ShowSymlinkPath]        Ensure readlink is available
@@ -191,21 +247,24 @@ Check file permissions for Docker files, like socket file [CONT-8108]
 * General improvements
 ----------------------
 - When using pentest mode, it will continue without any delays (=quick mode).
-- Plugins execution is improved, with improved logged and counting of active plugins.
+- Plugins execution is improved, with improved logged and counting of active
+  plugins.
 - Data uploads: provide help when self-signed certificates are used.
-- Improved output for tests which before showed results as a warning, while actually are just suggestions.
-- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
+- Improved output for tests which before showed results as a warning, while
+  actually are just suggestions.
+- Lynis now uses different exit codes, depending on errors or finding warnings.
+  This helps with automation and any custom scripting you want to apply.
 - Preparations to allow compressing the Lynis report file and enhance uploads.
+- Added --config option to show what settings file or profile is used.
 - Tool tips are displayed, to make Lynis even easier to use.
+- Show a warning if the release is older than 4 months.
 - PID file has additional checks, including cleanups.
 
-* Special thanks
-----------------
-We like to specifically thank Kamil Boratyński for his contributions to this release.
 
 * Plugins
 ---------
 [PAM]       New plugin available in all versions of Lynis
+[PLGN-2602] Replaced mktemp commands with CreateTempFile function
 [PLGN-2804] Limit report output of EXT file systems to 1 item per line
 
 --------------------------------------------------------------