diff options
author | mboelen <michael@cisofy.com> | 2015-12-22 18:56:15 +0300 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2015-12-22 18:56:15 +0300 |
commit | 72b0f65438ded70afad2cc024e5f3d76b3ac6bd8 (patch) | |
tree | 6065dde2f90c9e5240c269344ce310d6dc08bce5 /CHANGELOG | |
parent | 95832c61d10756e358849d93cc4fb7ab84fdc848 (diff) |
[LOGG-2154] Check for remote syslogging, more in-depth testing
Diffstat (limited to 'CHANGELOG')
-rw-r--r-- | CHANGELOG | 281 |
1 files changed, 146 insertions, 135 deletions
@@ -17,141 +17,152 @@ ================================================================================ - = Lynis 2.1.x (2.2.0 release in development) = - - This is an major release, which includes both new features and enhancements to existing tests. - - * Automation tools - ------------------ - CFEngine detection has been further extended. Additional logging and reporting of automation tools. - - * Authentication - ---------------- - Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes - checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228. - - New plugin is introduced to analyze PAM settings. It including items like: - - Two-factor authentication methods - - Minimum password length, password strength and protection status against brute force cracking - - Password history - - Report option: auth_failed_logins_logged - - * Compliance - ------------ - Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards. - - Right now these standards can be selected: - - CIS benchmarks - - HIPAA - - ISO27001/ISO27002 - - PCI DSS - - * DNS and Name services - ----------------------- - Support added for Unbound DNS caching tool [NAME-4034] - Configuration check for Unbound [NAME-4036] - Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used - - * Firewalls - ----------- - Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available. - New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now. - - * Hardware - ---------- - Detection of firewire is enhanced (both ohci and core detected). - - * Malware - --------- - ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report. - - * Mount points - -------------- - FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. - - * Networking - ------------ - NETW-3004 now collects network interface names from most common operating systems. - - * Operating systems - ------------------- - Improved support for Debian 8 systems. Detection for VMware release has been added. - Boot loader exception is not longer displayed when only a subset of tests is performed. - FreeBSD systems can now use service command to gather information about enabled services. - - Support for boot loader detection on Mac OS X - - * Passwords - ----------- - AUTH-9286 change has been extended to both capture minimum and password age. - - * Software - ---------- - Log when vulnerable software packages were found - - * SSH - ----- - Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition. - - Special thanks to: Kamil Boratyński - - * UEFI and Secure Boot - ---------------------- - Initial support to test UEFI settings, including Secure Boot option - Options boot_uefi_booted and boot_uefi_booted_secure added to report file - - * Virtual machines and Containers - --------------------------------- - Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools - like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. - Check file permissions for Docker files, like socket file [CONT-8108] - - * Individual tests - ------------------ - [AUTH-9204] Exclude NIS entries to avoid false positives - [AUTH-9230] Removed test as it was merged into AUTH-9228 - [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. - [BOOT-5106] New test to test boot loader on Mac OS X - [BOOT-5180] Only gets executed if runlevel 2 is found - [CONT-8108] New test to test for Docker file permissions - [FILE-6410] Added /var/lib/locatedb as search path - [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox - [PKGS-7308] Split package name and version for RPM based package manager - [MALW-3278] New test to detect LMD (Linux Malware Detect) - [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) - [TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running - - * Functions - ----------- - [DigitsOnly] New function to extract only numbers from a text string - [DisplayManual] New function to show text on screen without any markup - [ExitCustom] New function to allow program to exit with a different exit code, depending on outcome - [GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier - [IsWordWritable] Changed return codes for easier usage of the function - [LogText] Replaces the older logtext function - [Report] Replaces the older report function - [ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) - [ReportWarning] Like ReportSuggestion() has additional parameters - [ShowComplianceFinding] Display compliance findings - [ShowSymlinkPath] Ensure readlink is available - - * General improvements - ---------------------- - - When using pentest mode, it will continue without any delays (=quick mode). - - Data uploads: provide help when self-signed certificates are used. - - Improved output for tests which before showed results as a warning, while actually are just suggestions. - - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply. - - Preparations to allow compressing the Lynis report file and enhance uploads. - - Tool tips are displayed, to make Lynis even easier to use. - - PID file has additional checks, including cleanups. - - * Plugins - --------- - [PAM] New plugin available in all versions of Lynis - [PLGN-2804] Limit report output of EXT file systems to 1 item per line - - -------------------------------------------------------------- += Lynis 2.1.6 (development version for 2.2.x) = + +*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE *** + +We are proud to present this new release of Lynis. It is a major upgrade, and the +result of many months of work. This version includes new features and tests, and +many small enhancements, to improve the tool. We encourage all to test and +upgrade to this latest release. + +* Automation tools +------------------ +CFEngine detection has been further extended. Additional logging and reporting of automation tools. + +* Authentication +---------------- +Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes +checking for /etc/login.defs [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228. +New plugin is introduced to analyze PAM settings. It including items like: + +- Two-factor authentication methods +- Minimum password length, password strength and protection status against brute force cracking +- Password history + +Report option: auth_failed_logins_logged + +* Compliance +------------ +This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can b +Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards. + +Right now these standards can be selected: +- CIS benchmarks +- HIPAA +- ISO27001/ISO27002 +- PCI DSS + +* DNS and Name services +----------------------- +Support added for Unbound DNS caching tool [NAME-4034] +Configuration check for Unbound [NAME-4036] +Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used + +* Firewalls +----------- +Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available. +New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now. + +* Hardware +---------- +Detection of firewire is enhanced (both ohci and core detected). + +* Malware +--------- +ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report. + +* Mount points +-------------- +FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. + +* Networking +------------ +NETW-3004 now collects network interface names from most common operating systems. + +* Operating systems +------------------- +Improved support for Debian 8 systems. Detection for VMware release has been added. +Boot loader exception is not longer displayed when only a subset of tests is performed. +FreeBSD systems can now use service command to gather information about enabled services. + +Support for boot loader detection on Mac OS X + +* Passwords +----------- +AUTH-9286 change has been extended to both capture minimum and password age. + +* Software and Packages +----------------------- +Log when vulnerable software packages were found + +* SSH +----- +Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition. + +* UEFI and Secure Boot +---------------------- +Initial support to test UEFI settings, including Secure Boot option +Options boot_uefi_booted and boot_uefi_booted_secure added to report file + +* Virtual machines and Containers +--------------------------------- +Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools +like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. +Check file permissions for Docker files, like socket file [CONT-8108] + +* Individual tests +------------------ +[AUTH-9204] Exclude NIS entries to avoid false positives +[AUTH-9230] Removed test as it was merged into AUTH-9228 +[AUTH-9288] Test for expired passwords +[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. +[BOOT-5106] New test to test boot loader on Mac OS X +[BOOT-5180] Only gets executed if runlevel 2 is found +[CONT-8108] New test to test for Docker file permissions +[FILE-6410] Added /var/lib/locatedb as search path +[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox +[PKGS-7308] Split package name and version for RPM based package manager +[MALW-3278] New test to detect LMD (Linux Malware Detect) +[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) +[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running +[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable + +* Functions +----------- +[DigitsOnly] New function to extract only numbers from a text string +[DisplayManual] New function to show text on screen without any markup +[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome +[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier +[IsWordWritable] Changed return codes for easier usage of the function +[LogText] Replaces the older logtext function +[RandomString] Creates a random string of characters +[Report] Replaces the older report function +[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) +[ReportWarning] Like ReportSuggestion() has additional parameters +[ShowComplianceFinding] Display compliance findings +[ShowSymlinkPath] Ensure readlink is available + +* General improvements +---------------------- +- When using pentest mode, it will continue without any delays (=quick mode). +- Data uploads: provide help when self-signed certificates are used. +- Improved output for tests which before showed results as a warning, while actually are just suggestions. +- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply. +- Preparations to allow compressing the Lynis report file and enhance uploads. +- Tool tips are displayed, to make Lynis even easier to use. +- PID file has additional checks, including cleanups. + +* Special thanks +---------------- +We like to specifically thank Kamil Boratyński for his contributions to this release. + +* Plugins +--------- +[PAM] New plugin available in all versions of Lynis +[PLGN-2804] Limit report output of EXT file systems to 1 item per line + +-------------------------------------------------------------- = Lynis 2.1.1 (2015-07-22) = |