diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2016-05-14 17:17:19 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2016-05-14 17:17:19 +0300 |
| commit | 89d7da4ced483f3e1be950a264abd9a1df6bfb74 (patch) | |
| tree | c07ef62ad8b7491d6c1b30baff2ac74aa295196d /CHANGELOG | |
| parent | e8639f1d9ad14fdbb36080bf4955d37418ae97e8 (diff) | |
Move to change log with markdown syntax
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 2289 |
1 files changed, 0 insertions, 2289 deletions
diff --git a/CHANGELOG b/CHANGELOG deleted file mode 100644 index ef36578f..00000000 --- a/CHANGELOG +++ /dev/null @@ -1,2289 +0,0 @@ - -================================================================================ - - Lynis - Changelog - -================================================================================ - - Author: Michael Boelen (2007-2013) - CISOfy (2013-2016) - Description: Security and system auditing tool - Website: https://cisofy.com/lynis/ - GitHub: https://github.com/CISOfy/lynis - - Support policy: See section 'Support' in README file - Commercial support and plugins available via CISOfy - - Documentation: See web site, README, FAQ and CHANGELOG file - -================================================================================ - -= Lynis 2.2.1 (not released, development version) = - -* Upgrade tips - -Several changes have been made to core functions of Lynis. These are to simplify -its usage, but might cause differences after upgrading. See the tips below to -make. - -Custom profiles: -Instead of making changes to default.prf, copy your changes to custom.prf. Only -include the changes, as the values in default.prf are considered to be defaults. - -Check your cron jobs: -When using --quiet, the output will be really quiet now. -Use --show-warnings-only if you still want to see warnings. - -Lynis will exit with error 0, even when warnings have been found. Use option -error-on-warnings=yes (custom.prf) to exit with code 78 warnings. - -Do not define a profile with --profile. Instead, put only your changes in the -new custom.prf. - - -* Ansible -------- -Ansible examples for deployment are now on https://github.com/CISOfy/lynis-ansible - - -* Databases ------------ -Lynis will check also for DB2 instances and report the status. - - -* Developer Mode ----------------- -With this release the developer mode is introduced. It can be activated with the ---developer option, or developer-mode=yes in profile. In development mode, some -details are displayed on screen, to help testing of existing or new tests. - -To get easy access, a new profile has been added (developer.prf). - -Examples: -lynis audit system --profile developer.prf -lynis audit system --developer - - -* Documentation ---------------- -Template files have been updated to provide better examples on how to create -custom tests and plugins. - -To simplify the usage and options, a new helper utility has been added: show. -This helper will show help, or values (e.g. version, plugin directories, etc). -Some examples include: lynis show options, lynis show commands, lynis show -version, etc. See lynis show for all available details. - - -* File Systems --------------- -The XFS file system detection has been added. Mount points /dev/shm and /var/tmp -are now checked for their options. Comparison of the mount options has been -improved. A new test has been added to check if /var/tmp has been bound to /tmp. - - -* Mac OS X improvements ------------------------ -Package manager Brew has been added - - -* nginx -------- -Show suggestion when weak protocol is used, like SSLv2 or SSLv3. The protocols -are now also parsed and stored as details in the report file. - - -* Performance -------------- -Several performance improvements have been implemented. This includes rewriting -tests to invoke less commands and enhanced hardware detection at the beginning. - - -* Plugins ---------- -You can set the plugin directory now also via a profile. First match wins. -Priority: 1) argument, 2) profile, 3) default - ---plugindir is now an alias for --plugin-dir - - -* Profiles ----------- -Lynis now support multiple profiles. By using a file 'custom.prf', it allows to -inherit values first from default.prf, then merge it with custom.prf. - -Several tests have been altered to support multiple profiles. - -New profile options: - quick=yes|no (similar to --quick) - developer (see Developer section) - check-value - - -* SSH ------ -The configuration of SSH is now parsed from the SSH daemon directly. This enables -handling with new defaults more easily, as OpenSSH sometimes introduces new keys, -or change their default value between versions. - - -* Systemd ---------- -Added support for detecting systemd and reporting it as a service manager. The -systemd plugin has been released as a community plugin. - - -* Uploads ---------- -Solved a bug which added the proxy configuration twice. - - -* General improvements ----------------------- -The screen output has been improved, to show more meaningful things when some -parameters are missing. Several old variables and lines have been cleaned up. - -The Display function now allows the --debug flag. This helps in showing some -lines on screen, which would normally be hidden (e.g. items not found or -matched). - -Logging has been improved in different areas, like cleaning up and add more -relevant messages where needed. - -The interface colors have been changed, to make it more obvious how the software -can be used. Also the wait line between categories have been altered, to properly -display on systems with a white background. - -When no auditor name has been specified, it will say that instead of unknown. - -Functions file has been cleaned up, including adding developer debug information -when old functions are still be used. Later on these functions will be deleted, -and therefore placed at the bottom. - - -* Program options ------------------ -Added --developer option to enable developer mode -Added --verbose to show more details on screen and reducing in normal mode -Added --show-warnings-only to just show any warnings on screen -Added --skip-plugins to disable running any plugins (alias: --no-plugins) -Changed --quiet to really quiet -Remove --config option, use lynis show profiles instead - - -* Functions ------------ -[ContainsString] New function to search for a string in another one -[Display] Added --debug, showing details on screen in debug mode -[IsDebug] Check for usage of --debug -[IsDeveloperMode] Status for development and debugging (--developer) -[IsRunning] Added return state -[IsVerbose] Check for usage of --verbose -[IsOwnedByRoot] Check ownership of files and directories -[IsWorldWritable] Improved test with additional details -[PortIsListening] Check if a service it listening to a specified port -[SkipAtomicTest] Allow smaller tests to be skipped (e.g. SSH-7408) - - -* Tests -------- -[AUTH-9262] Restructure of test, support for pwquality PAM -[AUTH-9308] Check for systemd targets -[BANN-7119] /etc/motd test disabled -[BANN-7122] /etc/motd content test disabled -[BOOT-5184] Improve file permissions check for CentOS 7 machines -[DBS-1860] Check for status of DB2 -[CRYP-7902] Support for multiple profiles, improved logging -[FILE-6372] Properly checking for /etc/fstab now, ignore comments -[FILE-6374] Added /dev/shm and /var/tmp -[FILE-6374] New test for /var/tmp -[FILE-7524] Support for multiple profiles -[HTTP-6710] Trigger suggestion when weak protocols SSLv2/SSLv3 are used -[KRNL-5788] Support for kernel with grsecurity patches (linux-image-grsec) -[KRNL-5820] Improved logging for test -[KRNL-6000] Allow multiple profiles to be used, store more details -[LOGG-2190] Improvements for Fail2Ban and cron-related files -[NETW-3014] Support for multiple profiles -[PKGS-7303] Added Brew package manager -[PKGS-7354] Test for DNF repoquery plugin before using it -[PKGS-7381] Check for vuln.xml file -[PROC-3612] Removed wchan output to prevent grsecurity issues -[SCHD-7702] Test for running cron daemon -[SCHD-7704] Test ownership of cronjob files -[TOOL-5102] Test for Fail2ban tooling -[TOOL-5190] Test for intrusion detection or prevention system - - --------------------------------------------------------------- - -= Lynis 2.2.0 (2016-03-18) = - -We are proud to present this new release of Lynis. It is a major upgrade, and the -result of many months of work. This version includes new features and tests, and -many small enhancements. We encourage all to test and upgrade to this latest -release. - -* Highlights ------------- -The biggest change in this release is the optimization of several functions. It -allows for better detection, and dealing with the quirks, of every single -operating system. Some functions were fortified to handle unexcepted results -better, like missing a particular binary, or not returning the hostname. - -This release also enables tests to be shorter, by adding new functions. Some -functions were renamed or slightly changed, to provide more value to the tooling. -Another big change in this release is a wide set of optimizations and quality -testing. Outdated pieces were removed, or rewritten, to support features seen in -newer distributions. - -In the area of compliance, adjustments have been made to start supporting more -in-depth testing for this. Ideal for companies who have a particular compliance -need, or want to test and enforce the system hardening levels of their systems. - -Last but not least, many small changes make this software easier to use. On -our website we added new guides to provide help and support. - -We like to thank our contributors, in particular Kamil BoratyĆski, Steve Bosek, -and Eric Light. Their contributions helped us greatly shaping this release. - - -Below are the changes per category: - -* Automation tools ------------------- -Detection for CFEngine has been improved. Also additional logging and reporting -of automation tools. - -* Authentication ----------------- -Depending on the operating system, Lynis now tries to determine if failed logins -are properly logged. This includes checking for /etc/login.defs file [AUTH-9408]. -Merged previous password check for Solaris into test AUTH-9228. User ids on AIX -will be gathered and added to the report [AUTH-9234]. - -New plugin is introduced to analyze PAM settings. It including items like: - -- Two-factor authentication methods -- Minimum password length, password strength and protection status against brute - force cracking -- Password history - -Report option: auth_failed_logins_logged - -* Boot ------- -Added detection for Mac OSX boot loader. Initial support to test UEFI settings, -including Secure Boot option. Options boot_uefi_booted and -boot_uefi_booted_secure added to report file - -* Compliance ------------- -This release prepares for upcoming extensions to assist with compliance testing. -The profile has a new option, which can be used to define what standards should -be tested for, if any test is available. The related option is: -compliance_standards - -Right now these standards can be selected: -- CIS benchmarks -- HIPAA -- ISO27001/ISO27002 -- PCI DSS - -Note that additional tests will be implemented in future releases and then tagged -to these particular standards. - -* DNS and Name services ------------------------ -Support added for Unbound DNS caching tool [NAME-4034], including a configuration -check [NAME-4036]. - -Record if a name caching utility is being used like nscd or Unbound. Also logging -to report as field name_cache_used - -* Firewalls ------------ -Test for IPFW firewall on FreeBSD has been improved: status of pflogd will no -longer be displayed, when pf is not available. - -New test FIRE-4532 introduced for detection of the Mac OS X application firewall. -Also, the status of application firewalls is audited now. - -FIRE-4508 is another new test, which tests chains of iptables and their default -policy (ACCEPT or DROP). This release also supports the upcoming nftables -technology with new test FIRE-4536. It is expected that it will replace iptables -later on, so this test will perform a status check. Additional FIRE-4548 will -perform a version detection of the userland utility nft and determine if there -are any rules configured. - -Renamed FIRE-4511 to FIRE-4502. - -* File Integrity Monitoring ---------------------------- -Test added to include osqueryd as a supported tool. - -* Hardware ----------- -Detection of firewire is enhanced (both ohci and core detected). - -* Logging ---------- -Extended the test syslog-ng logging to remote systems. The log Lynis itself -produces is also enhanced, to be more detailed for several tests. - -* Malware ---------- -ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners -are also logged to the report. - -* Mount points --------------- -FILE-6374 is expanded to test for multiple common mount points and define best -practice mount flags. - -* Networking ------------- -Best practices for IPv6 configuration on Linux are now collected. Also network -interface names from most operating systems. - -* Operating systems -------------------- -Improved support for Debian 8 systems, and displaying Gentoo for Gentoo-based -systems. Detection of VMware release has been added. Boot loader exception is not -longer displayed when only a subset of tests is performed. FreeBSD systems can -now use service command to gather information about enabled services. - -Several paths have been added to allow better detection on systems running -FreeBSD and others. - -* Passwords ------------ -AUTH-9286 change has been extended to both capture minimum and password age. - -* Proxy support ---------------- -A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS -proxy. - -* Service Managers ------------------- -SystemV init is now detected. - -* Software and Packages ------------------------ -Now information will be logged when vulnerable software packages were found. -Support for DNF (Dandified YUM) for Fedora systems has been added. This is done -in several tests: PKGS-7350 (installed packages), PKGS-7352 (security notices), -PKGS-7354 (integrity tests). - -* SSH ------ -Multiple configuration tests of SSH are now merged into SSH-7408. This enables -easier testing later on and reduces repetition. - -* Virtual machines and Containers ---------------------------------- -Detection of virtual machines has been extended in several ways. Now VMware tools -(vmtoolsd) are detected and machine state is improved with tools like Puppet -Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it -before gave error as it found directory /usr/libexec/docker. Check file -permissions for Docker files, like the socket file [CONT-8108]. - -* Individual tests ------------------- -[AUTH-9204] Exclude NIS entries to avoid false positives -[AUTH-9230] Removed test as it was merged into AUTH-9228 -[AUTH-9234] Support for AIX added -[AUTH-9288] Test for expired passwords -[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also - includes improved logging, and support for other operating systems. -[BOOT-5104] Rewrote test to detect SysV init and other service managers -[BOOT-5106] New test to test boot loader on Mac OS X -[BOOT-5180] Only gets executed if runlevel 2 is found -[CONT-8108] New test to test for Docker file permissions -[DBS-1816] Removed suggestion -[FILE-6310] Add more details to test when a symlinked path has been found -[FILE-6410] Added /var/lib/locatedb as search path -[FINT-4338] Added osquery test -[FIRE-4508] Added chains test for iptables -[FIRE-4511] Renamed to FIRE-4502 -[FIRE-4536] Support for nftables detection -[FIRE-4538] Basic configuration check for for nftables -[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox -[HTTP-6622] Determine Apache version and log to report -[HTTP-6624] Ignore wildcard and default entries as ServerName for Apache -[LOGG-2154] Additional support for log destinations for syslog-ng -[MALW-3278] New test to detect LMD (Linux Malware Detect) -[NAME-4406] Changed logic for localhost check and more detailed logging -[NETW-2600] IPv6 configuration check for Linux -[NETW-3032] Added ARP monitoring software test -[PKGS-7308] Split package name and version for RPM based package manager -[PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM) -[PKGS-7352] Query security notices for DNF -[PKGS-7354] Perform integrity tests for package database (DNF) -[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) -[STRG-1842] New test for checking authorized USB devices -[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured -[TIME-3170] New test to check NTP configuration files - -* Functions ------------ -[CreateTempFile] Create a temporary file -[DigitsOnly] New function to extract only numbers from a text string -[DisplayManual] New function to show text on screen without any markup -[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome -[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier -[IsWordWritable] Changed return codes for easier usage of the function -[LogText] Replaces the older logtext function -[RandomString] Creates a random string of characters -[RemoveTempFiles] Remove any created temporary files -[Report] Replaces the older report function -[ReportSuggestion] Allows two additional parameters to store details - (text and external reference to a solution) -[ReportWarning] Like ReportSuggestion() has additional parameters -[ShowComplianceFinding] Display compliance findings -[ShowSymlinkPath] Ensure readlink is available - -* General improvements ----------------------- -- When using pentest mode, it will continue without any delays (=quick mode). -- Plugins execution is improved, with improved logged and counting of active - plugins. -- Data uploads: provide help when self-signed certificates are used. -- Improved output for tests which before showed results as a warning, instead of - just as a suggestion. -- Lynis now uses different exit codes, depending on errors or finding warnings. - This helps with automation and any custom scripting you want to apply. -- Preparations to allow compressing the Lynis report file and enhance uploads. -- Added --config option to show what settings file or profile is used. -- Tool tips are displayed, to make Lynis even easier to use. -- Show a warning if the release is older than four months. -- PID file has additional checks, including cleanups. - - -* Plugins ---------- -[PAM] New plugin available in all versions of Lynis -[PLGN-2602] Replaced mktemp commands with CreateTempFile function -[PLGN-2804] Limit report output of EXT file systems to 1 item per line - --------------------------------------------------------------- - - = Lynis 2.1.1 (2015-07-22) = - - This release adds a lot of improvements, with focus on performance, and - additional support for common Linux distributions and external utilities. - We recommend to use this latest version. - - * Operating system enhancements - ------------------------------- - Support for systems like CentOS, openSUSE, Slackware is improved. - - * Performance - ------------- - Performance tuning has been applied, to speed up execution of the audit on - systems with many files. This also includes code cleanups. - - * Automatic updates - ------------------- - Initial work on an automatic updater has been implemented. This way Lynis - can be scheduled for automatic updating from a trusted source. - - * Internal functions - -------------------- - Not all systems have readlink, or the -f option of readlink. The - ShowSymlinkPath function has been extended with a Python based check, which - is often available. - - * Software support - ------------------ - Apache module directory /usr/lib64/apache has been added, which is used on - openSUSE. - - Support for Chef has been added. - - Added tests for CSF's lfd utility for integrity monitoring on directories and - files. Related tests are FINT-4334 and FINT-4336. - - Added support for Chrony time daemon and timesync daemon. Additionally NTP - sychronization status is checked when it is enabled. - - Improved single user mode protection on the rescue.service file. - - * Other - ------- - Check for user permissions has been extended. - Python binary is now detected, to help with symlink detection. - Several new legal terms have been added, which are used for usage in banners. - In several files old tests have been removed, to further clean up the code. - - * Bug fixes - --------- - Nginx test showed error when access_log had multiple parameters. - Tests using locate won't be performed if not present. - Fix false positive match on Squid unsafe ports [SQD-3624]. - The hardening index is now also inserted into the report if it is not displayed - on screen. - - * Functions - --------- - Added AddSystemGroup function - - * New tests - --------- - Several new tests have been added: - - [PKGS-7366] Scan for debsecan utility on Debian systems - [PKGS-7410] Determine amount of installed kernel packages - [TIME-3106] Check synchronization status of NTP on systemd based systems - [CONT-8102] Docker daemon status and gather basic details - [CONT-8104] Check docker info for any Docker warnings - [CONT-8106] Check total, running and unused Docker containers - - * Plugins - --------- - [PLGN-2602] Disabled by default, as it may be too slow for some machines - [PLGN-3002] Extended with /sbin/nologin - - * Documentation - --------------- - A new document has been created to help with the process of upgrading Lynis. - It is available at https://cisofy.com/documentation/lynis/upgrading/ - - -------------------------------------------------------------- - - - = Lynis 2.1.0 (2015-04-16) = - - * General - --------- - Screen output has been improved to provide additional information. - - * OS support - ------------ - CUPS detection on Mac OS has been improved. AIX systems will now use csum - utility to create host ID. Group check have been altered on AIX, to include - the -n ALL. Core dump check on Linux is extended to check for actual values - as well. - - * Software - ---------- - McAfee detection has been extended by detecting a running cma binary. - Improved detection of pf firewall on BSD and Mac OS. Security patch checking - with zypper extended. - - * Session timeout - ----------------- - Tests to determine shell time out setting have been extended to account for - AIX, HP-UX and other platforms. It will now determine also if variable is - exported as a readonly variable. Related compliance section PCI DSS 8.1.8 - has been extended. - - * Documentation - --------------- - - New document: Getting started with Lynis - https://cisofy.com/documentation/lynis/get-started/ - - * Plugins (Enterprise) - ---------------------- - - Update to file integrity plugin - Changes to PLGN-2606 (capabilities check) - - - New configuration plugins: - PLGN-4802 (SSH settings) - PLGN-4804 (login.defs) - - Download link: https://cisofy.com/download/lynis/ - - -------------------------------------------------------------- - - - = Lynis 2.0.0 (2015-02-25) = - - - The first release within the 2.x branch! It includes several new features, to - simplify or improve auditing on Unix based systems, including BSD, Linux, - Mac OS and more traditional systems like AIX, HPUX and Solaris. - - New features and many improvements are the reason for the bump to a major - release, also a beginning of a new era. Many tools to audit or harden systems - have being released, yet none have been maintained over a long period of time. - - * Support and Feedback - - This software is supported and under development by CISOfy. By providing a - dual license, this software is kept up-to-date and enhanced. Both customers - and the community, benefit from this licensing. This release is available - thanks to your input and feedback. - - * Helpers - - New in this release is the support for helpers. Small utilities which enhance - Lynis by providing a single goal. The first helper available is to audit - Docker build files. - - * Improved OS support - - Many changes have been implemented to better support Linux, FreeBSD, NetBSD - DragonBSD and OpenBSD in particular. Upcoming releases will include smaller - "improvement rounds" for other systems as well. - - * New technologies - - More utilities and technologies are supported now. Technologies and tools - like systemd, Docker, nftables. - - * Lynis Enterprise - - As this code is shared, customers have an additional option to define to - what server they want to upload the audit results. Also, commercial plugins - have been bundled. - - * New parameters - - Several new options have been added: - --dump-options (see all options) - --report-file (define a different location for the report file) - - * General - - Documentation on the website has been extended: https://cisofy.com/support/ - The man page, Lynis binary and several tests have improved texts. - - This release is exceptional in that it includes many changes. We have done - a lot of testing on different platforms. You could expect this software to be - stable. Still, an assumption is no guarantee and especially no substitution - for testing in your own environment. If you encounter issues, please report - them via one of the links above in this changelog. - - - Enjoy this new release! - - -================================================================================ - - * 1.6.4 (2014-11-04) - - New: - - Boot loader detection for AIX [BOOT-5102] - - Detection of getcap and lsvg binary - - Added filesystem_ext to report - - Detect rootsh - - Changes: - - Hide errors when RPM database is faulty and show suggestion instead [PKGS-7308] - - Allow OpenBSD to gather information on listening network ports [NETW-3012] - - Don't trigger warning for Shellshock when doing segfault test [SHLL-6290] - - Do not run Apache test on OpenBSD and strip control chars [HTTP-6624] - - Extended AIDE test with configuration validation test [FIND-4314] - - Improved Shellshock test regarding non-Linux support [SHLL-6290] - - Added support for gathering volume groups on AIX [FILE-6311] - - Properly parse PAM lines and add them to report [AUTH-9264] - - Support for boot loader detection on OpenBSD [BOOT-5159] - - Added uptime detection for OpenBSD systems [BOOT-5202] - - Support for volume groups on AIX [FILE-6312] - - Redirect errors when searching for readlink binary - - -- - - * 1.6.3 (2014-10-14) - - New: - - Added tests for Shellshock bash vulnerability [SHLL-6290] - - Added test to determine if Snoopy is used [ACCT-9636] - - New test for qdaemon configuration file [PRNT-2416] - - Test for GRUB boot loader password [BOOT-5122] - - New test for qdaemon printer jobs [PRNT-2420] - - Added ClamXav test for Mac OS X [MALW-3288] - - Gentoo vulnerable packages test [PKGS-7393] - - New test for qdaemon status [PRNT-2418] - - Gentoo package listing [PKGS-7304] - - Running Lynis without root permissions will start non-privileged scan - - Systemd service and timer example file added - - Added grub2-install to binaries - - Changes: - - Adjustments so insecure SSL protocols are detected in nginx config [HTTP-6710] - - Directories will be skipped when searching for nginx log files [HTTP-6720] - - Only gather unique name servers from /etc/resolv.conf [NAME-2704] - - Properly detect mod_evasive on Gentoo and others [HTTP-6640] - - Improved swap partition detection in /etc/fstab [FILE-6336] - - Improvements to kernel detection (e.g. Gentoo) [KRNL-5830] - - Test for built-in security options in YUM [PKGS-7386] - - Improved boot loader detection for GRUB2 [BOOT-5121] - - Split GRUB test into two tests [BOOT-5122] - - Added Mac OS uptime check [BOOT-5202] - - Improved GetHostID function for systems having only ip binary - - Improved testing for symlinked binary directories - - Minor adjustments to log output - - Renamed dev directory to extras - - -- - - * 1.6.2 (2014-09-22) - - New: - - IsVirtualMachine function to check if system is running in VM - - VM types: Bochs CPU emulation, IBM z/VM, KVM, Linux Containers, - libvirt LXC driver (Linux Containers), Microsoft Virtual PC, OpenVZ, - Oracle VM VirtualBox, QEMU, Systemd Namespace container, - User-Mode Linux (UML), VMware products, XEN - - - Detection for SaltStack configuration management tooling - - ShowSymlinkPath function to check path behind a symlink - - Check of configuration options of pacman [PKGS-7314] - - Support for drill binary to check for Lynis update - - FileIsEmpty function to check for empty files - - Detect updates for Arch Linux [PKGS-7312] - - Add detection for machine ID (systemd) - - Added linux_config_file to report - - Bash completion script for Lynis - - Added detection of ss binary - - Changes: - - Extended system reboot check, to enable it for most Linux versions[KRNL-5830] - - Improved inetd test to avoid false positive with xinetd process [INSE-8002] - - Permissions check has been adjusted to allow packaging and pentest mode - - Added detection for compressed Linux config file [KRNL-5728] - - Added support for compressed Linux config file [KRNL-5730] - - Store PID file in home directory of the user, if needed - - Added usage of ss to gather listening ports [NETW-3012] - - Additional permission added to CUPS check [PRNT-2307] - - Extended telnet in inetd test [INSE-8016] - - Fix for reading at.deny file [SCHD-7720] - - Removed individual warnings [BOOT-5184] - - Several improvements for Arch Linux - - -- - - * 1.6.1 (2014-09-09) - - New: - - Added --pentest parameter to run a non-privileged scans (e.g. for pentesting) - - Show skipped tests in report if they require root and scan is non-privileged - - Changes: - - Improved vulnerable packages test on Debian based systems (apt-check) [PKGS-7392] - - Don't show warnings for 'swap' in 4th column fstab file [FILE-6336] - - Remove warning for old files in /tmp [FILE-6354] - - CheckUpdates function will have better output when no connection is available - - Changes to parameters and functions, to allow penetration tests with Lynis - - Test for actual files in /etc/modprobe.d before grepping in it - - Improved chown command when file permissions are incorrect - - Changed output of update test, show when status is unknown - - No scanning of symlinked directories (binaries test) - - Extended SafePerms function to also check for UID - - Several tests will have root-only bit set now - - Improved netstat tests on Arch Linux - - -- - - * 1.6.0 (2014-08-27) - - New: - - Added several new plugins to default profile - - HostID detection for AIX - - Changes: - - Improvements for log file - - GetHostID function improved - - Improved detection of security repository for Debian based systems [PKGS-7388] - - Set default values for update check, to avoid error message on screen - - Cleanup for mail section, adding IMAP and POP3 protocols - - -- - - * 1.5.9 (2014-07-31) - - New: - - New NetBSD test for vulnerable software packages [PKGS-7380] - - Test if Debian based systems need a reboot [KRNL-5830] - - Test for running Sendmail daemon [MAIL-8880] - - Test for availability of mtree [FINT-4330] - - Check for lp daemon (printing) [PRNT-2314] - - Added Qmail status detection [MAIL-8860] - - New NetBSD boot loader test [BOOT-5126] - - Added test for automation tools like Cfengine and Puppet [TOOL-5002] - - Added KRNL-5830 control to website - - Added detection for Puppet - - Added tooling category - - Changes: - - Security repository test extended with /etc/apt/sources.list.d [PKGS-7388] - - Added exception case for CUPS configuration (listen statement) [PRNT-2308] - - Improved detection of TMOUT setting in shell profile file [SHLL-6220] - - Perform promiscuous interfaces test for NetBSD as well [NETW-3014] - - Perform swap partition parameters test on all systems [FILE-6336] - - Also check password file on DragonFlyBSD and NetBSD [AUTH-9208] - - Show message regarding toor user for all systems [AUTH-9204] - - Check for available interfaces on NetBSD as well [NETW-3004] - - Extended UFS file system test with FFS support [FILE-6329] - - Improvements for step-tickers file test [TIME-3160] - - Perform sockstat test for NetBSD [NETW-3012] - - Gather IP addresses for NetBSD [NETW-3008] - - Test MAC addresses on NetBSD [NETW-3006] - - Added /usr/X11R7/bin directory to search for binaries - - Improved full qualified domain name (FQDN) check for Linux - - Don't show follow-up hints when there are no warnings or suggestions - - Improved IsRunning function to better target processes - - Several smaller adjustments in text and descriptions - - Extended ReportException function with logging text - - Improved GetHostID function for NetBSD and Solaris - - Added printing_daemon and mail_daemon to report - - Binaries extended with tools like kstat, puppet - - -- - - * 1.5.8 (2014-07-24) - - New: - - Testing for commercial anti-virus solutions like McAfee and Sophos [MALW-3280] - - New control text for MALW-3280 - http://cisofy.com/controls/MALW-3280/ - - Changes: - - Extended GRUB test with encrypted password (SHA1) [BOOT-5121] - - Check /etc/profile for multiple umask values [AUTH-9328] - - Extended PHP disabled functions test [PHP-2320] - - Add gpgcheck parameter to YUM test [PKGS-7387] - - Squid configuration file permissions test adjusted and control added to website [SQD-3613] - - Logging has been extended and exceptional event text adjusted - - -- - - * 1.5.7 (2014-07-09) - - New: - - Implementation of SafePerms function - - Added notification when exceptions are found - - Changes: - - Fix for error_log handling in nginx - - -- - - * 1.5.6 (2014-06-12) - - New: - - Test for PHP binary and PHP version - - Don't perform register_global test for systems running PHP 5.4.0 and later [PHP-2368] - - Debug function (can be activated via --debug or profile) - - Changes: - - Extended IsRunning function - - Removed suggestion from secure shell test [SHLL-6202] - - Check for idle session handlers [SHLL-6220] - - Also check for apache2 binary (file instead of directory) - - New report values: session_timeout_enabled and session_timeout_method - - New report value for plugins: plugins_enabled - - Fixed test to determine active TCP sessions on Linux [NETW-3012] - - -- - - * 1.5.5 (2014-06-08) - - New: - - Check for nginx access logging [HTTP-6712] - - Check for missing error logs in nginx [HTTP-6714] - - Check for debug mode in nginx [HTTP-6716] - - Changes: - - Extended SSL test for nginx when using listen statements - - Allow debugging via profile (config:debug:yes) - - Check if discovered httpd file is actually a file - - Improved temporary file creation related to security notice - - Adjustments to screen output - - Security Note: - This releases solves two issues regarding the usage of temporary - files (predictability of the file names). You are advised to upgrade - to this version as soon as possible. For more information see the - our blog post: http://linux-audit.com/lynis-security-notice-154-and-older/ - - -- - - * 1.5.4 (2014-06-04) - - New: - - Check additional configuration files for nginx [HTTP-6706] - - Analysis of nginx settings [HTTP-6708] - - New test for SSL configuration of nginx [HTTP-6710] - - Changes: - - Altered SMBD version check for Mac OS - - Small adjustments to report for readability - - -- - - * 1.5.3 (2014-05-19) - - New: - - Support for zypper package manager - - Gather installed packages with Zypper on SuSE systems [PKGS-728] - - Check for vulnerable packages with Zypper package manager [PKGS-7330] - - Changes: - - Check for aide.conf also in /etc [FINT-4315] - - Adjusted screen output for unreliable NTP peers [TIME-3120] - - Adjusted check kernel test for non-Linux systems [KRNL-5730] - - Improved screen output on AIX systems with echo command - - -- - - * 1.5.2 (2014-05-05) - - New: - - Support for runlevel in binaries test - - Changes: - - Added suggestion for kernel availability check [KRNL-5788] - - Added suggestion for services at startup and proper binary call [BOOT-5180] - - Added suggestion to configure accounting on FreeBSD [ACCT-2754] - - Added suggestion to configure Linux process accounting [ACCT-9622] - - Several new controls listed on website - - Adjusted hardening index if total score was zero - - Added suggestion for auditd.conf file [ACCT-9632] - - Removed suggestion for audit log file [ACCT-9634] - - Removed warning from NTP falsetickers test, added data to report [TIME-3132] - - Removed warning from NTP selected time source test [TIME-3124] - - -- - - * 1.5.1 (2014-04-22) - - Changes: - - Extended reporting with running databases and frameworks - - Adjusted Oracle status in test [DBS-1840] - - Extended grsecurity test [RBAC-6272] - - Redirect rpcinfo errors to /dev/null - - Adjusted color scheme - - -- - - * 1.5.0 (2014-04-10) - - New: - - Support for Amazon Linux - - NTP check for step-tickers file (Red Hat and clones) [TIME-3160] - - Changes: - - Minor textual changes in description of several controls - - Removed several warnings (usage of suggestions instead) - - Website has now more information for several controls - - Extended detection for Oracle Linux - - Updated the FAQ and README files - - -- - - * 1.4.9 (2014-04-03) - - New: - - Added links in report to related control documentation on website - - Detect Linux I/O kernel scheduler [KRNL-5730] - - Changes: - - Check for non-unique accounts on several platforms [AUTH-9208] - - Set initial discover value for PAM modules to zero [AUTH-9268] - - -- - - * 1.4.8 (2014-03-27) - - Changes: - - Adjusted resolv.conf domain setting in report [NAME-4016] - - Extend account test with /var/log/pacct [ACCT-9620] - - Added suggestion to DNS domain name test [NAME-4028] - - Changed text strings of ZFS test [FILE-6330] - - Extend LILO password test [BOOT-5139] - - Set default value for pf firewall - - -- - - * 1.4.7 (2014-03-21) - - New: - - New configuration item to set group name - - Search for AIDE configuration file (aide.conf) [FINT-4315] - - Check for usage of SHA256/SHA512 in AIDE configuration [FINT-4316] - - Added grep to list of binaries - - Changes: - - Added suggestion when using NIS or NIS+ [NAME-4302] - - Clean-up of unneeded plugin section - - Small typo fix - - -- - - * 1.4.6 (2014-03-14) - - New: - - Check for GPG signing in yum.conf [PKGS-7387] - - Check CUPS configuration file permissions [PRNT-2307] - - Changes: - - Screen cleanup - - -- - - * 1.4.5 (2014-03-08) - - New: - - Support for Chakra Linux - - Support for pacman binary (package manager) - - Query installed packages on systems with pacman [PKGS-7310] - - Changes: - - Avoid logging to screen when falsetickets are found [TIME-3132] - - Skipping FIFO file on Solaris systems when checking for cron jobs [TIME-3104] - - Extended uptime test for Solaris systems [BOOT-5202] - - Added /usr/lib/security to PAM locations to scan - - Report cronjobs to report [SCHD-7704] - - HostID support for Solaris - - Improved color scheme - - Extended logging - - -- - - * 1.4.4 (2014-03-03) - - New: - - Detect tune2fs binary - - Added ExitFatal() function - - Added egrep binary to binaries - - Initial plugin support (phase 1) - - Added InsertPluginSection() function - - Changes: - - Adjusted disabled functions tests to properly find functions [PHP-2320] - - Extended time test with egrep binary replace for Solaris [TIME-3104] - - Adjusted color for SNMP test when warning is found [SNMP-3306] - - Adjusted text for PHP risky functions [PHP-2320] - - Refer to discovered binaries for ifconfig, lsmod, tune2fs - - Test plugin directory when provided by --plugin-dir - - Scan report extended with plugin information - - Extended help for Enterprise options - - Improved IsRunning() function - - Extended color scheme - - -- - - * 1.4.3 (2014-02-23) - - New: - - Support for ClearOS - - Data upload for Lynis Enterprise users (--upload) - - Added debug variable for troubleshooting purposes - - Scan profile option license_key - - Changes: - - Skip password check for Red Hat or clones [AUTH-9282] - - Extended single user login protection [AUTH-9308] - - Adjusted repolist check for yum based systems [PKGS-7383] - - Inserted sleep time when update is found - - Extended report output - - -- - - * 1.4.2 (2014-02-19) - - Changes: - - Ignore interfaces aliases for HostID - - Extended umask tests with pam_umask entries [AUTH-9328] - - Check for supressed version on Squid [SQD-3680] - - -- - - * 1.4.1 (2014-02-15) - - New: - --plugin-dir parameter - - Changes: - - Added 64 bits locations for Apache modules - - Add start of new category to logfile - - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626] - - Extended cron job tests with entries start with asterix (*) [SCHD-7704] - - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328] - - Adjusted PHP test for register_globals (explicit test) [PHP-2368] - - Small adjustments for upcoming plugin support - - Extended man page - - -- - - * 1.4.0 (2014-01-29) - - Changes: - - Removed some warnings, to prevent double messages - - Extended accounting check for Linux [ACCT-9622] - - Added consistency check to time test [TIME-3124] - - Added support for anacron jobs [SCHD-7704] - - Rewrite of YUM repository test [PKGS-7383] - - Use binary variables for hostid creation - - AIX version detection changed - - Added rpcinfo to binaries check - - Ignore LANG global setting - - Improved logging - - -- - - * 1.3.9 (2014-01-09) - - Changes: - - Additional support for Mac OS - - Support for shasum binary - - Performance adjustment for lsof tests - - Extended interface check for hostid creation - - Improved NSCD detection [NAME-4032] - - Bug fix for passwdqc [AUTH-9262] - - Extended vulnerable packages test [PKGS-7392] - - Hide possible sysctl errors [KRNL-5820] - - -- - - * 1.3.8 (2013-12-25) - - New: - - New parameter --view-categories to display available test categories - - Added /etc/hosts check (duplicates) [NAME-4402] - - Added /etc/hosts check (hostname) [NAME-4404] - - Added /etc/hosts check (localhost mapping) [NAME-4406] - - Portmaster test for possible port upgrades [PKGS-7378] - - Check for SPARC improve boot loader (SILO) [BOOT-5142] - - NFS client access test [STRG-1930] - - Check system uptime [BOOT-5202] - - YUM repolist check [PKGS-7383] - - Contributors file added - - Changes: - - Improved locate database check and reporting [FILE-6410] - - Improved PAE/No eXecute test for Linux kernel [KRNL-5677] - - Disabled NIS domain name from test [NAME-4028] - - Extended NIS domain test to check BSD sysctl value [NAME-4306] - - Extended PAM tools check with PAM paths [AUTH-9262] - - Adjusted Apache check to avoid skipping it [HTTP-6622] - - Extended USB state testing [STRG-1840] - - Extended Firewire state testing [STRG-1846] - - Extended core dump test [KRNL-5820] - - Added /lib/i386-linux-gnu/security to PAM directories - - Added /usr/X11R6/bin directory to binary paths - - Improved readability of screen output - - Improved logging for several tests - - Improved Debian version detection - - Added warning to BIND test [NAME-4206] - - Extended binaries with showmount and yum - - Updated man page - - -- - - * 1.3.7 (2013-12-10) - - New: - - Function FileExists() and SearchItem() - - Changes: - - Adjusted yum-security check [PKGS-7386] - - Improved check for iptables binary check - - Extended report with the tests executed and skipped - - -- - - * 1.3.6 (2013-12-03) - - New: - - Support for the dntpd time daemon - - New Apache test for modules [HTTP-6632] - - Apache test for mod_evasive [HTTP-6640] - - Apache test for mod_qos [HTTP-6641] - - Apache test for mod_spamhaus [HTTP-6642] - - Apache test for ModSecurity [HTTP-6643] - - Check for installed package audit tool [PKGS-7398] - - Added initial support for new pkgng and related tools [PKGS-7381] - - Check for ssh-keyscan binary - - ZFS support for FreeBSD [FILE-6330] - - Test for passwordless accounts [AUTH-9283] - - Initial OS support for DragonFly BSD - - Initial OS support for TrueOS (FreeBSD based) - - Initial OS support for elementary OS (Luna) - - GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD - - Check for DHCP client [NETW-3030] - - Initial support for OSSEC (system integrity) [FINT-4328] - - New parameter --log-file to adjust log file location - - New function IsRunning() to check status of processes - - New function RealFilename() to determine file name - - New function CheckItem() for parsing files - - New function ReportManual() and ReportException() to simplify code - - New function DirectoryExists() to check existence of a directory - - Support for dntpd [TIME-3104] - - Changes: - - Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518] - - Extended test to gather listening network ports for Linux [NETW-3012] - - Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190] - - Added suggestion for discovered shells on FreeBSD [AUTH-9218] - - Extended core dump test with additional details [KRNL-5820] - - Properly display suggestion if portaudit is not installed [PKGS-7382] - - Ignore message if no packages are installed (pkg_info) [PKGS-7320] - - Also try using apt-check on Debian systems [PKGS-7392] - - Adjusted logging for RPM binary on systems not using it [PKGS-7308] - - Extended search in cron directories for rdate/ntpdate [TIME-3104] - - Adjusted PHP check to find ini files [PHP-2211] - - Skip Apache test for NetBSD [HTTP-6622] - - Skip test http version check for NetBSD [HTTP-6624] - - Additional check to supress sort error [HTTP-6626] - - Improved the way binaries are checked (less disk reads) - - Adjusted ReportWarning() function to skip impact rating - - Improved report on screen by leaving out date/time and type - - Redirect errors while checking for OpenSSL version - - Extended reporting with firewall status and software - - Adjusted naming of some operating systems to make them more consistent - - Extended update check by using host binary if dig is not installed - - Count number of installed binaries/packages and report them - - Report about log rotation tool and status - - Updated man page - - -- - - * 1.3.5 (2013-11-19) - - New: - - OS detection for Mageia Linux, PCLinuxOS, Sabayon Linux and Scientific Linux - - Added some initial systemd support (e.g. boot services) - - Test to display if any known MAC framework is implemented [MACF-6290] - - Changes: - - Improved support for Slackware Linux (OS and version detection) - - Added systemd support (boot and running services) for Linux systems [BOOT-5177] - - Added systemd support (default runlevel) for Linux systems [KRNL-5622] - - Extended USB storage check in modprobe.d directory [STRG-1840] - - Improved output, reporting and check for kernel update [KRNL-5788] - - Optimized code and output of test to check writable scripts [BOOT-5184] - - Fixed detection for writable scripts [BOOT-5184] - - Improved detection IPv6 addresses for Slackware and others [NETW-3008] - - Minor addition to SSH PermitRootLogin check [SSH-7412] - - Extended cronjob tests, reporting and logging [SCHD-7704] - - Extended umask check in /etc/profile [AUTH-9328] - - Added suggestion about BIND version [NAME-4210] - - Merged test NTP daemon test TIME-3108 into TIME-3104 - - Improved support for Arch Linux (output, detection) - - Extended common list of directories with SSL certifcates in profile - - New function GetHostID() to determine an unique identifier of the machine - - Added a tests_custom file template - - Perform file permissions test on tests_custom file - - Improved OS detection and extended logging on several tests - - Several layout improvements - - Extended update check functions and output - - Cleaned up reporting and extended it with exceptions - - -- - - * 1.3.4 (2013-11-08) - - New: - - OS detection support for Arch Linux - - Support for systemd journal - - Changes: - - Test for files in /etc/modprobe.d directory [STRG-1840] - - Extended log daemon detection with systemd journal [LOGG-2130] - - Adjusted hardening value for compiler GCC [HRDN-7222] - - Extended IsWorldWritable and IsWorldExecutable functions to support symlinks - - Adjusted PHP test for disabled functions [PHP-2320] - - Extended testing for PHP files in other directories [PHP-2211] - - Improved screen output for several tests and extended logging - - -- - - * 1.3.3 (2013-10-24) - - New: - - Added NTP configuration type to report [TIME-3104] - - Changes: - - Do not warn on empty shells for FreeBSD systems [AUTH-9218] - - Extended checks for presence NTP client or daemon [TIME-3104] - - Extended logging - - -- - - * 1.3.2 (2013-10-09) - - New: - - Test for PowerDNS authoritive servers (master/slave status) [NAME-4238] - - Changes: - - CUPS test extended with hardening rules [PRNT-2308] - - Added hardening points to sticky bit on /tmp [FILE-6362] - - Extended Ubuntu security packages check [PKGS-7392] - - Improved update check, show when no check is performed - - Added additional check for binaries, so checks on CentOS work correctly - - Added word 'restricted' to banner strings - - Adjusted wording for Debian packages purge [PKGS-7346] - - Corrected listing of purgable packages [PKGS-7346] - - Adjusted yum-plugin-security check due to package changes [PKGS-7386] - - -- - - * 1.3.1 (2013-10-02) - - Changes: - - Updated generic references in files - - Fixed detection of several binaries (AFICK/awk) - - Performance tweaks when checking for binaries - - Fixed core dump check and dumpable sysctl [KRNL-5820] - - Force test to always to check for binaries [FILE-7502] - - Changed detection to egrep [DBS-1840] - - Adjusted variable checking for Solaris [HOME-9310] - - Adjusted search in modprobe directory [STRG-1840] [STRG-1846] - - -- - - * 1.3.0 (2011-12-25) - - New: - - Profile option: ignore_home_dir - - TCP wrappers category added - - Tooling category added - - Initial extensions to support plugins in the future - - Test for unpurged Debian packages [PKGS-7346] - - Test for compiler permissions [HRDN-7222] - - Changes: - - Converted all dates to ISO format and updated copyright lines - - Correct suggestion for file integrity tool [FINT-4350] - - Added hint when RPM list is empty on DPKG based systems [PKGS-7308] - - Changed logging for /etc/security/limits.conf file [KRNL-5820] - - Fixed incorrect warning for single user mode [AUTH-9308] - - Improved output for stratum 16 time servers [TIME-3116] - - Added suggestion and screen output for kernel hardening [KRNL-6000] - - Screen layout optimalizations and log file improvements - - Improved list/layout of scan options - - Improved binary check for compilers - - Added configuration option in scan profile (show_tool_tips, default true) - - -- - - * 1.2.9 (2009-12-15) - - New: - - Support for Squid3 - - Added Squid unsafe ports check [SQD-3624] - - Added Squid configuration file permission check [SQD-3613] - - Added Squid test: reply_body_max_size option [SQD-3630] - - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328] - - Check PHP option allow_url_include [PHP-2378] - - Changes: - - Extended possible Squid configuration file locations - - Added additional sysctl keys to default profile - - Fixed typo in squid.conf checks - - Improved descriptions, logging and reporting for several tests - - Corrected /etc/security/limits.conf path in test [KRNL-5820] - - Updated man page, limited lines to 80 chars - - -- - - * 1.2.8 (2009-12-08) - - New: - - Squid support added - - Squid daemon detection [SQD-3602] - - Squid configuration file search [SQD-3604] - - Squid version detection [SQD-3606] - - Check /etc/motd banner [BANN-7122] - - Check /etc/issue.net file [BANN-7128] - - Check contents in /etc/issue.net [BANN-7130] - - Solaris single user mode login check (/etc/default/sulogin) [AUTH-9304] - - HP-UX boot authentication check [AUTH-9306] - - Linux single user mode authentication check [AUTH-9308] - - Solaris account locking policy check [AUTH-9340] - - Changes: - - Added prerequisite to SSH test, so the test is skipped properly [SSH-7440] - - Check for /etc/issue symlink [BANN-7124] - - Added file check for possible harmful shells found [AUTH-9218] - - Add user home directories to report [HOME-9302] - - Extended Linux run level test with support for Debian/Ubuntu [KRNL-5622] - - Added /lib64/security to PAM test [AUTH-9262] - - Extended security repository check [PKGS-7388] - - Iptables check should not check for a module in a Linux config [FIRE-4511] - - Ignore APC ups daemon when scanning for CUPS [PRNT-2304] - - Improved kernel logger daemon check [LOGG-2138] - - Added auditctl to binary check [ACCT-9630] - - Log used auditd ruleset [ACCT-9630] - - Corrected logging of Solaris c2audit module [ACCT-9656] - - Fixed warning function for Solaris passwordless accounts [AUTH-9254] - - Commented kern.randompid in default profile - - For sysctl the parameter -n will be used on Linux systems - - Changed syslog daemon detection and state - - Extended report file - - -- - - * 1.2.7 (2009-11-01) - - New: - - Added Kernel Hardening section - - Sysctl audit support in scan profile and related test [KRNL-6000] - - SSH option StrictModes test [SSH-7416] - - Password aging limit check [AUTH-9286] - - Ubuntu packages check (apt-show-versions) [PKGS-7394] - - Check for metalog daemon [LOGG-2210] - - USB storage driver state check [STRG-1840] - - Firewire storage driver state check [STRG-1846] - - PostgreSQL process check [DBS-1826] - - Oracle process check [DBS-1840] - - Default umask check [AUTH-9328] - - Check for rsyslog daemon [LOGG-2230] - - RFC 3195 compliant daemon check [LOGG-2240] - - Qmail SMTP daemon check [MAIL-8940] - - Test for separation of /tmp and /home from root file system [FILE-6310] - - SSH AllowUsers and AllowGroups usage check [SSH-7440] - - AIX support, thanks to Michael Smerdka - - Changes: - - Fixed crontabs path [SCHD-7704] - - Extended locate database paths for Linux and FreeBSD [FILE-6410] - - pflog detection fix [FIRE-4518] - - Skip /proc/meminfo for non Linux systems [PROC-3602] - - Extended text with rsyslogd [LOGG-2130] - - Ignore comment and empty lines for group tests [AUTH-9222/9226] - - Show firewall as active when iptables is available in config file [FIRE-4511] - - Variable fix for SNMP daemon configuration file [SNMP-3304] - - Freshclam check fix [MALW-3286] - - Fixed waiting search for NIS domain [NAME-4306] - - Check for a maximum of 1 search statement in /etc/resolv.conf [NAME-4018] - - Apache test improved [HTTP-6622] - - Skip klogd test if rsyslogd is available [LOGG-2138] - - Added additional CUPS location to search paths - - Only execute PAM test for systems with PAM [AUTH-9268] - - Fixed logging of sudoers file location [AUTH-9250] - - Improved FreeBSD support for NTP client check [TIME-3104] - - Redirect warning "Unknown host" when DNS domain name is empty [NAME-4028] - - Redirect warning when host name is empty - - Fixed warning color [AUTH-9226] - - Fixed FreeBSD COPYRIGHT file test [BANN-7113] - - Changed text for sudoers text [AUTH-9250] - - Improved text for DNS search domain [NAME-4016] - - Skip nginx configuration test if nginx is not available [HTTP-6704] - - Removed portsclean suggestion [PKGS-7348] - - Fixed non unique IDs - - Fixed cosmetic issue when using Debian with default dash shell - - Improved hostname detection for HP-UX - - Added additional php.ini file locations - - Moved Linux default shell check to OS detection functions - - Fixed CUPS daemon test [PRNT-2304] - - Also check for uppercase chars in issue file [BANN-7126] - - -- - - * 1.2.6 (2009-04-05) - - New: - - Sudoers file permissions check [AUTH-9252] - - Core dumps configuration check for Linux [KRNL-5820] - - PHP disabled functions check [PHP-2320] - - PHP enable_dl function check [PHP-2374] - - PHP allow_url_fopen function check [PHP-2376] - - OpenBSD smtpd status check [MAIL-8920] - - /etc/issue check [BANN-7124] - - /etc/issue legal keywords check [BANN-7126] - - Show suggestions in report - - Changes: - - Extended support for Red Hat, CentOS and Fedora - - Extended ACL test to test for default mount options as well [FILE-6368] - - Exim status test fixed [MAIL-8812] - - Corrected yum security check [PKGS-7386] - - Replaced LDAP test AUTH-9238 with [AUTH-9402] - - Removed backquotes when locate database is not available [FILE-6410] - - Added /etc/openldap to search path for OpenLDAP - - Fixed typo in crontab path [SCHD-7704] - - Don't show message "No volume groups found" if LVM isn't used [FILE-6310] - - Corrected Syslog-NG status [LOGG-2132] - - Moved TODO to dev directory - - -- - - * 1.2.5 (2009-03-27) - - New: - - slapd.conf check [LDAP-2224] - - atd status test [SCHD-7718] - - Check LDAP module in PAM [AUTH-9278] - - Check Dovecot status check [MAIL-8838] - - Check log directories from newsyslog.conf [LOGG-2162] - - Check log directories from static list [LOGG-2170] - - Check log directories from logrotate configuration [LOGG-2150] - - syslog check for remote logging [LOGG-2154] - - Open log files check [LOGG-2180] - - Deleted file check [LOGG-2190] - - Solaris active kernel modules check [KRNL-5770] - - Solaris audit daemon status check [ACCT-9650] - - Solaris audit daemon service status [ACCT-9652] - - Solaris audit daemon BSM check [ACCT-9654] - - Solaris audit logging location check [ACCT-9662] - - Solaris audit statistics check [ACCT-9672] - - Check for installed compiler [HRDN-7202] - - BIND process check [NAME-4202] - - BIND configuration file check [NAME-4204] - - BIND configuration consistency check [NAME-4206] - - BIND version check via DNS [NAME-4210] - - Default domain check (/etc/resolv.conf) [NAME-4016] - - Search domains in /etc/resolv.conf check [NAME-4018] - - Parse /etc/resolv.conf options [NAME-4020] - - Solaris /etc/nodename check [NAME-4026] - - DNS domain checks [NAME-4028] - - NSCD status check [NAME-4032] - - PowerDNS presence check [NAME-4230] - - PowerDNS configuration file check [NAME-4232] - - PowerDNS backend check [NAME-4236] - - ypbind status check [NAME-4302] - - Log specific defined SSH daemon options [SSH-7408] - - SSH protocol version check [SSH-7414] - - NIS domain checks [NAME-4304] - - Check pending at jobs [SCHD-7724] - - LVM volume group scan [FILE-6310] - - LVM volumes check [FILE-6312] - - Locate database check [FILE-6410] - - nginx configuration file check [HTTP-6704] - - Exim status check [MAIL-8802] - - Postfix status check [MAIL-8814] - - Changes: - - atd needs to run before testing at files [SCHD-7720] - - Removed Solaris OS requirement from logrotate test [LOGG-2148] - - Sanitized output from logrotate test [LOGG-2148] - - Skip comment fields in loghost check [LOGG-2152] - - Changed auditd tests to Linux only - - Binary scan optimized and partially combined with other check - - Only perform iptables tests if kernel module is active - - Don't show message when /etc/shells can't be found [SHLL-6211] - - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] - - Renumbered FreeBSD test SHLL-7225 [SHLL-6202] - - Renumbered malware test MALW-3292 [HRDN-7230] - - Improved grep on process status [PRNT-2304] - - Ignore comment lines for nginx log file check [HTTP-6720] - - Added file check for nginx log files [HTTP-6720] - - Display IP addresses only of NTP tests [TIME-3124] - - Fixed Postfix configuration directory path [MAIL-8816] - - Redirected output of yum package duplicate check [PKGS-7384] - - Ignore comment lines for lilo test [BOOT-5139] - - Fixed incorrect iptables status and correct logging [FIRE-4511] - - Check SNMP configuration only if SNMP daemon runs [SNMP-3304] - - Don't scan PAM directories which are symlinks [AUTH-9268] - - Changed hardening category to hardening_tools - - Adjusted hardening points of several tests - - Log and display improvements for several tests - - -- - - * 1.2.4 (2009-03-17) - - New: - - NTP daemon process test [TIME-3108] - - NTP association ID's check from peer list [TIME-3112] - - NTP time source candidates test [TIME-3128] - - NTP falseticker check [TIME-3132] - - NTP protocol version check [TIME-3136] - - Stratum 16 ntp peers check [TIME-3116] - - Unreliable ntp peers check [TIME-3120] - - Preferred NTP time source test [TIME-3124] - - auditd presence check [ACCT-9628] - - auditd rules check [ACCT-9630] - - auditd configuration file check [ACCT-9632] - - auditd log file location check [ACCT-9634] - - cupsd status check [PRNT-2304] - - cupsd configuration file check [PRNT-2306] - - cupsd address configuration test [PRNT-2308] - - pam.conf configuration check [AUTH-9264] - - pam.d configuration file scan [AUTH-9266] - - PAM modules check [AUTH-9268] - - rpcinfo query [STRG-1902] - - NFS version number check [STRG-1904] - - NFS protocol and port number check [STRG-1906] - - NFS status check [STRG-1920] - - NFS exports check [STRG-1926] - - NFS empty /etc/exports [STRG-1928] - - SSH PermitRootLogin option check [SSH-7412] - - at.allow and at.deny check [SCHD-7720] - - File integrity tool check [FINT-4350] - - nginx process check [HTTP-6702] - - nginx log file test [HTTP-6720] - - ClamAV clamscan presence test [MALW-3282] - - ClamAV daemon check [MALW-3284] - - ClamAV freshclam check [MALW-3286] - - Check for presence malware scanner [MALW-3292] - - clamscan, ntpq binary check - - NTP daemon role and profile option - - Parameter --tests-category, to scan one or more categories - - Category added (Storage: NFS) - - Added hardening points to tests - - Display hardening index to report - - Changes: - - Extended logrotate test [LOGG-2148] - - Added check for inetd.conf before performing test [INSE-8016] - - Added /var/spool/crontabs to search path [TIME-3104] - - Added log line to sysstat test [ACCT-9626] - - Improved screen output on Solaris - - Checking for both rdate and ntpdate in cron files [TIME-3104] - - Changed yum-security package check [PKGS-7386] - - Change output if dig isn't available [NETW-2705] - - Added IPv6 support and output adjustment [NETW-2704] - - Cosmetic change for host based firewall check [FIRE-4590] - - Corrected output in log file [PKGS-7388] - - Corrected passwd options for Red Hat [AUTH-9282] - - Changed text if everything is ok (no warnings) - - Log improvements - - -- - - * 1.2.3 (2009-03-02) - - New: - - Added syslog-NG daemon check [LOGG-2132] - - Added klogd status test [LOGG-2138] - - Added check to determine minilogd presence [LOGG-2142] - - Added logrotate configuration test [LOGG-2146] - - Added check for loghost entry on Solaris machines [LOGG-2152] - - Added ipf test for Solaris [FIRE-4526] - - Added uname -n test (Solaris) [NAME-4024] - - Added ssh daemon configuration file check [SSH-7404] - - Added BSD newsyslog.conf file check [LOGG-2160] - - Added inetd status check [INSE-8002] - - Added inetd.conf configuration check [INSE-8004] - - Added check for inetd.conf when inetd is not active [INSE-8006] - - Added telnet check via inetd [INSE-8016] - - Added ACL check on root file system [FILE-6368] - - Added check for firewall/packet filter on system [FIRE-4590] - - Added lograte file check [LOGG-2148] - - Added snmp daemon status test [SNMP-3302] - - Added snmp configuration file test [SNMP-3304] - - Added default snmp community strings test [SNMP-3306] - - Added categories: Insecure services and SNMP - - Added binary searches for awk, ipf - - Changes: - - Changed profile name in default profile - - Added path /usr/ucb to binary paths - - Changed color to white if slapd is not running [LDAP-2219] - - Changed test PKG-7345 into PKGS-7345 - - Changed logging for several tests [PKGS-7302] [NETW-3004] - - Extended FAQ - - Changed default profile header - - Fixes: - - Hostname detection under Solaris - - Disabled tests PROC-3612 PROC3614 for Solaris machines - - Disabled NTP check in cron.d directory on Solaris [TIME-3104] - - Added result at line when querying system users [AUTH-9234] - - Counters (N+1) fixed for some shells, like Solaris - - Removed unneeded line for Solaris test [PROC-3604] - - Disabled grsecurity test for Solaris [RBAC-6272] - - Correct display of files with spaces [FILE-6354] - - Changed several tests so they work correctly with Solaris - - -- - - * 1.2.2 (2009-02-15) - - New: - - Support for MySQL client - - New test: Test for empty MySQL root password [DBS-1816] - - New test: SSH daemon status test [SSH-7402] - - New test: sysstat account information [ACCT-9626] - - New test: connections in WAIT state [NETW-3028] - - Lynis displays a warning now, if current version is really outdated - - New parameter option (log_tests_incorrect_os) to minimize logging - - Changes: - - Several adjustments to default profile - - Fixed option 'skip_test_always' to let it function properly - - Fixed passwd check for SuSE systems [AUTH-9282] - - Added error redirect for dpkg test [PKG-7345] - - Improved NTP test and messages, excluded check when using xen [TIME-3104] - - Extended DNS nameserver check with local resolver [NETW-2704] - - Skip double nameserver check when a local resolver is found [NETW-2705] - - Renamed tests_nameserver to tests_nameservices - - Improved log output [AUTH-9218] - - Notes: - - Custom profiles should be compared to the default profile, due small changes - in the structure. - - -- - - * 1.2.1 (2008-09-05) - - New: - - Added support for Samba - - Added support for SELinux framework - - New test: SELinux presence test [MACF-6232] - - New test: SELinux status checks [MACF-6234] - - New test: password PAM availability check [AUTH-9262] - - New test: expire date check for accounts [AUTH-9282] - - Added new option --tests, to run a small set of tests only - - Changes: - - Report and logging messages improved - - Output reduced when using --tests - - Added suggestion to PHP expose_php option [PHP-2372] - - Improved log message for PHP register_globals option [PHP-2368] - - Added virtual host count to log file [HTTP-6626] - - Improved Red Hat and clones detection and display - - Fix: Improved promiscuous detection for Linux [NETW-3015] - - Fix: AUTH-9204 test triggered on group ids as well - - Fix: Only display unique MAC addresses [NETW-3006] - - Extended Postfix test [MAIL-8818] - - Don't show /proc/meminfo if not present [PROC-3602] - - Don't show YABOOT information if not present [BOOT-5155] - - Improved portaudit test (FreeBSD) [PKGS-7382] - - Improved portsclean test (FreeBSD) [PKGS-7348] - - Added --quiet and --tests options to help and man page - - -- - - * 1.2.0 (2008-08-26) - - New: - - New test: Passwordless Solaris accounts test [AUTH-9254] - - New test: AFICK file integrity [FINT-4310] - - New test: AIDE file integrity [FINT-4314] - - New test: Osiris file integrity [FINT-4318] - - New test: Samhain file integrity [FINT-4322] - - New test: Tripwire file integrity [FINT-4326] - - New tests: NIS and NIS+ authentication test [AUTH-9240/42] - - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire - - Changes: - - Changed text of grsecurity test [RBAC-6272] - - Optimized FreeBSD boot services test [BOOT-5165] - - Optimized UID 0 test [AUTH-9204] - - Extended login shells test [AUTH-9218] - - PID file message extended and small output improvement - - A log entry will be written when PID files are removed - - Added operating system name to log file when a test is skipped - - Added file available check when using --view-manpage - - Most program variables are initialized now for future additions - - -- - - * 1.1.9 (2008-08-09) - - New: - - New test: AppArmor framework check [MACF-6204] - - New test: FreeBSD boot loader test [BOOT-5124] - - New test: PHP option register_globals [PHP-2368] - - New test: Promiscuous network interfaces (Linux) [NETW-3015] - - Report option 'bootloader' added to several tests - - Added readlink binary check - - Changes: - - Extended file check (IsWorldWritable) for symlinks - - Show result if no default gateway is found [NETW-3001] - - Added /usr/local/etc to sudoers test [AUTH-9250] - - Improved FreeBSD banner output [BANN-7113] - - Removed incorrect line at promiscuous interface test [NETW-3014] - - Fix: Show only once the GRUB test output [BOOT-5121] - - Fix: Typo in NTP test [TIME-3104] - - Fix: Skip NTP test in /etc/cron.d if empty [TIME-3104] - - Fix: Initialize values when performing an update check without connection - - Fix: Solaris id function has been fixed - - Disabled FreeBSD double packages tests, due minor issues [PKGS-7303] - - Changed LDAP/MySQL running states [LDAP-2219] [DBS-1804] - - Replaced ifconfig calls with IFCONFIGBINARY - - Renamed tests_auditing to tests_mac_frameworks - - Several tests improved with extended logging - - -- - - * 1.1.8 (2008-07-16) - - New: - - Mac OS X support extended and new options added - - Changes: - - Extended default profile - - Improved several screen output lines - - User ID check improved, so it works better with older Solaris versions - - Hostname in output and reports will contain only host now, not FQDN - - Added extra php.ini locations to tests_php - - Replaced 'ps' in tests with PSBINARY value for better support - - Added output to zones test [VIRT-1902] - - Updated description [AUTH-9218] - - Extended ntp daemon/ntpdate check [TIME-3104] - - Added suggestion to bootable scripts check [BOOT_5184] - - Bugfix and improvement for FreeBSD portsclean test [PKGS-7348] - - Added Mac OS support to MAC address gathering test [NETW-3006] - - Added MAC OS support to inet and inet6 addresses test [NETW-3008] - - Extended PHP expose_php test to support additional options [PHP-2372] - - Improved LDAP test so it skips correctly on Mac OS AUTH-9238] - - Bugfix: MySQL status check gave incorrect output [DBS-1804] - - -- - - * 1.1.7 (2008-06-28) - - New: - - New test: check for unused iptables rules [FIRE-4513] - - New test: checking for dead and zombie processes [PROC-3612] - - New test: checking for heavy IO waiting processes [PROC-3614] - - Initial HP-UX support (untested) - - Initial AIX support (untested) - - Added iptables binary check - - Added dig check, for DNS related tests - - Added option --no-colors to remove all colors from screen output - - Added option --reverse-colors for optimizing output at light backgrounds - (Konsole, MacOS terminal etc) - - Changes: - - Improved grpck test for SuSE [AUTH-9216] - - Added dig availability check to DNS test [NETW-2704] - - Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512] - - Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384] - - Bugfix: Fixed prequisits for grpck test [AUTH-9216] - - Improved MySQL check [DBS-1804] - - Changed color at chkconfig boot services test [BOOT-5177] - - Added missing prequisits output to portaudit test [PKGS-7382] - - Test output for FreeBSD mounts (UFS) improved [FILE-6329] - - Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219] - - Several tests have their warning reporting improved - - Improved SuSE Linux detection - - Improved syslog-ng detection - - Adjusted README with link to online (extended) documentation - - -- - - * 1.1.6 (2008-06-19) - - New: - - New test: Check writable startup scripts [BOOT-5184] - - New test: Syslog-NG consistency check [LOGG-2134] - - New test: Check yum-utils package and scanning package database [PKGS-7384] - - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] - - New test: Check for expired SSL certificates [CRYP-7902] - - New test: Check for LDAP authentication support [AUTH-9238] - - New test: Read available crontab/cron files [SCHD-7704] - - New test: Query Solaris running zones [VIRT-1902] - - New test: Check availability sudoers file for future tests [AUTH-9250] - - New test: Query all home directories from passwd file [HOME-9302] - - Syslog-NG support added (binary and version check) - - Added new sections: Scheduling, Time and Synchronization, Virtualization - - Changes: - - Extended several tests with suggestions and warnings - - Extended GRUB test with GRUB2 check [BOOT-5121] - - Extended iptables firewall test [FIRE-4511] - - Fixed incorrect variable at Linux kernel config display [KRNL-5728] - - Fixed display for file system test [FILE-6023] - - Reassigned some ID's to match others in category - - Improvement of several logging sections and profile options - - Assigned ID to Ubuntu security update check - - Assigned ID to pwck test for Solaris [AUTH-9230] - - Assigned ID to FreeBSD unused distfiles check [PKGS-7348] - - Assigned ID to RPM package query test [PKGS-7308] - - Assigned ID to /tmp sticky bit test [FILE-6362] - - Assigned ID to old temporary files check [FILE-6354] - - Assigned ID to passwd ID 0 test [AUTH-9204] - - Assigned ID to FreeBSD swap partitions [FILE-6332] - - Assigned ID to FreeBSD swap mount options [FILE-6336] - - Assigned ID to nameserver tests [NETW-2704 and NETW-2705] - - Assigned ID to pf consistency check [FIRE-4520] - - Assigned ID to Postfix configuration check [MAIL-8816] - - Assigned ID to Postfix banner check [MAIL-8818] - - Assigned ID to FreeBSD promiscuous port test [NETW-3014] - - Assigned ID to file permissions check [FILE-7524] - - -- - - * 1.1.5 (2008-06-10) - - New: - - Assigned ID to Apache configuration file test [HTTP-6624] - - Added pause_between_tests to profile file, to regulate the speed of a scan - - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345] - - Assigned ID to Solaris package test [PKG-7306] - - New test: which gathers virtual hosts from Apache configuration files [HTTP-6626] - - New test: read all loaded kernel modules (Linux) [KRNL-5726] - - New test: query available FreeBSD network interfaces [NETW-3004] - - New test: query available IPv4 and IPv6 network addresses [NETW-3008] - - New test: for MAC addresses [NETW-3006] - - New test: check if a Linux kernel configuration file is available [KRNL-5728] - - New test: check boot services for Debian/Ubuntu [BOOT-5180] - - Added Lynx, Nmap, Wget version to log file - - Added support for Oracle enterprise Linux (Unbreakable Linux) - - Added new function ReportWarning for better logging to report file - - Changes: - - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302] - - Changed shell history file test, searching files with maxdepth 1 [HOME-9310] - - Extended iptables test, to check Linux kernel configuration file [FIRE-4511] - - Added report warning to promicuous test [NETW-3014] - - Fixed yellow color when being used at text display - - Several logging improvements and cleanups - - -- - - * 1.1.4 (2008-05-31) - - New: - - Added option to disable Lynis upgrade availability test (profile option) - - Added new option --check-update, to display (update) information - - Added stub for malware and file permissions database - - New section 'LDAP Services' - - Support for OpenLDAP added - - Place holders for new tests are added - - Default profile extended - - [FILE-6023] Added test for Linux ext2, ext3, ext4 file systems - - [BOOT-5155] Added check for YABOOT boot loader - - Changes: - - [BANN-7119] Improved MOTD banner check - - Improved Apache tests for SuSE and Debian systems - - Debian/Ubuntu file tests improved - - Extended man page - - -- - - * 1.1.3 (2008-05-21) - - New: - - Added security updates check for Fedora, RHEL 5.x, CentOS 5.x - - Added Linux kernel version check - - Most stable tests have an unique ID now - - Skipped tests have their reason to skip logged - - Added /etc/lynis/plugins to searchable plugin directory targets - - Added Register() function, to handle tests, prerequisites and counter - - Added new crypto tests - - Added profile option "test_skip_always" to blacklist a specific test - - Changes: - - Extended default profile location for FreeBSD - - Extended accounting test to include pacct as well - - Improved tests from categories: shells - - Disabled skel tests - - Several tests log their warnings into the report file now - - Changed Linux default runlevel test - - Extended man page - - Fixes: - - Auditor name didn't get logged properly to report file. - - Changed Debian/Ubuntu kernel update test, so it won't be tested on others - - Exim test failed, due to using an incorrect variable name - - -- - - * 1.1.2 (2008-05-11) - - New: - - Added memory test for Solaris (tested on OpenSolaris) - - Password file consistency check for Solaris - - 32/64 bits OS mode check for Solaris - - Added Slackware detection - - Plugin support (see documentation) - - Added monolithic/modular test for Linux kernels - - Changes: - - Improved LILO test and removed double message - - Fixed incorrect message when using --help parameter - - Improved portaudit test (FreeBSD) to show unique packages only - - Updated man page, FAQ, extended documention with plugin information - - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) - - ** Special release notes [package/ports]: ** - - Added several default paths to check for usuable an INCLUDE directory. This - should make packaging Lynis easier for downstream package providers. - - When no profile is set, Lynis will check first /etc/lynis/default.prf, - before setting default.prf (in current work directory) as profile to use. - - New directory added to be installed for future versions: plugins - - -- - - * 1.1.1 (2008-04-13) - - New: - - Added Solaris package manager (pkginfo) to obtain installed packages - - Added new option to profile to whitelist promiscuous interfaces (if_promisc) - - Added vulnerable packages check for Debian/Ubuntu - - Added package database consistency check for Debian/Ubuntu - - Changes: - - Only perform boot.conf check for OpenBSD when running on i386 - - Changed RemovePIDFile to prevent incorrect file presence check (ie on OpenBSD) - - Better OS detection and display output for Ubuntu systems - - Improved text alignment (display) and logging - - Commented out some of the default profile options - - Updated FAQ, readme, man page - - Bug fixes: - - Added missing space at OS detection function - - Fixed /etc/group tests to ignore commented lines - - Fixed sticky bit checking on /tmp, so it won't give incorrect results on - SuSE/Debian systems - - -- - - * 1.1.0 (2008-04-09) - - New: - - Added test: default gateway (Linux/BSD) - - Added boot tasks to report file (boottask) - - Added vulnerable packages to report file (vulnerable_package) - - Changes: - - Fixed some typos - - Several improvements in log output - - Changed display of operating system version (Linux) - - Fixed PHP check - - -- - - * 1.0.9 (2008-03-24) - - New: - - Added --quiet option (currently not 100% quiet yet) - - Added a spec file to the project page (see web site) - - Added small INSTALL document - - Changes: - - Changed check for PHP (php.ini location) - - Added available shells from /etc/shells to report file - - Updated man page - - Fixed option in main help window for --man option - - Code improvement, splitting up sections to seperated files - - -- - - * 1.0.8 (2008-02-10) - - New: - - Added pf filter rule test - - Added our PID to PID file - - Added warnings, real users, mount points, total tests to report file - - Changes: - - Changed Apache configuration file test - - Changed old temporary files check - - Changed test to include ubuntu security repository - - Moved UID check to avoid PID creation as non root user - - Moved most functions to seperated files and several code cleanups - - Improved logging output - - Extended FreeBSD (Copyright file) test - - Changed indentation for many tests - - Changed some typos in notice/warning messages - - -- - - * 1.0.7 (2008-01-28) - - New: - - Test: UFS mount point check (FreeBSD) - - Test: Check swap partitions (FreeBSD) - - Test: find old files in /tmp - - Test: check presence iptables - - Test: check CPU PAE/NX support (Linux) - - Added profile options check - - Added option to skip Debian security repository check (profile option) - - Support for Red Hat and CentOS - - Changes: - - Changed report log location to /var/log instead of current work directory - - Changed --help (and -h) to display general help, instead of man page - - Renamed -man option to --man - - Extended profile file (see default.prf) - - Cleaned up code (rewritten several parts of static code to dynamic - functions) - - Added more comments to the program, for curious auditors, developers and - users. Also regrouped parts of text and cleaned useless white spaces. - - General program output improved (spaces, indentation) - - Logging extended - - Updated lynis.spec file (contrib) - - FAQ and README files extended and updated - - Bugfixes: - - Changed postfix banner check (thanks to Henk Bokhoven for reporting) - - Extended skel directory test, with -A (ls) option to check hidden files - (used with most Linux variants) - - Development: - - Added new mirror - - Updated year number in program and support files - - Added new function Display, to use indentation within lines - - Added function RemovePIDFile before some exit routines, to clean up PID file - - Extracted profile support, parameter support to seperated files - - Created file tests_ports_packages for Ports and Packages - - Deleted lynis.spec file, since it was not working and will be rewritten later - - -- - - * 1.0.6 (2007-12-26) - - New: - - Added Solaris real users test - - Added hostname check - - Changes: - - Added chkconfig binary test and changed related services test - - Added 'xargs' to version checks, to replace unwanted chars - - Added more breaks to log file. - - Added sorting to rpm/dpkg listings - - FAQ extended - - -- - - * 1.0.5 (2007-12-02) - - New: - - Test: unique group names - - Test: unique group IDs - - Added check for rpm, chkrootkit and rkhunter binary - - Added function to cleanup at manual interrupt (INT) - - Support added to run Lynis as cronjob (--cronjob) - - Fedora support added - - Added umask 027, to tighten up file permissions - - Changes: - - Changed FreeBSD ttys test - - Changed grpck test, to operate in read-only mode - - Changed Postfix test, to check for mail_name value as well - - Changed GPL line in script which said GPL v2 - - Extended README - - Show latest update version, if available, at the end of the screen output - - Lots of code cleanup (see Development) - - Some log improvements - - Changed date notation in changelog to preferred European format (with dots - instead of slashes) - - Development: - - New function (ShowResult) to avoid repeating the same result line - within the script for standard status values - - Moved program consts to file (include/consts) - - Moved functions to file (include/functions) - - Moved OS detection to file (include/osdetection) - - Added NEVERBREAK to avoid user input (cronjob support) - - -- - - * 1.0.4 (2007-11-27) - - New: - - Test: query real system users (FreeBSD/Linux) - - Added PID file usage, to warn for unclean program states. - - Added SSHd version test - - Changes: - - Updated documentation - - Changed sticky bit test (/tmp), to skip symlinks - - Changed /etc/motd test, to skip symlinks - - More code cleanup - - Logging extended and improved - - Screen output slightly changed - - -- - - * 1.0.3 (2007-11-19) - - New: - - Added check for sockstat - - Test: added test for GRUB and password option - - Test: query listening ports (sockstat) - - Changes: - - Fixed NTPd check (bug) - - Extended help for 'double installed package' check (BSD systems, pkg_info) - - Extended Debian kernel update check - - Improved OpenBSD support - - Improved Linux specific detection support (Cobalt, CPU Builders, Debian, - E-Smith, Slackware, SuSE/OpenSuSE, Turbo Linux, Yellowdog and others) - - Improved screen output - - Extended logging, with status/impact flags - - [Bugfix] chkconfig test improved - - [Bugfix] Fixed sticky bit test at Debian - - Extended documentation and changelog file - - -- - - * 1.0.2 (2007-11-15) - - New: - - Test: Added check for NTP daemon or client - - Test: file permissions (profile option) - - Added -Q (--quick) parameter, to run the program without needing user - input after every few sections. - - Changes: - - Extended documentation (README file) and performed spell check - - Improved screen output (colors, parameter handling and display) - - Cleaned up source code and fixed some bad typos - - Added much more delimiter lines to logfile - - Added version numbers to logfile for used binaries/tools - - Updated list of parameters within Lynis help - - -- - - * 1.0.1 (2007-11-12) - - New: - - Test: check Exim configuration file location - - Test: added memory check (/proc/meminfo) - - Test: run grpck to check group files (if available) - - Test: boot option check for OpenBSD boot loader - - Test: check if pf (Software: firewall) is active - - Test: check LILO password - - Test: check presence of old distfiles (FreeBSD) - - Added check for binaries: httpd, kldstat, openssl, (s)locate - - Added version check for: exim, openssl - - Added -V (--version) parameter, to show version number - - Added breaks between tests - - Changes: - - [bug] Changed skel directory check - - Fixed display Apache configuration file - - -- - - * 1.0.0 (2007-11-08) - - New: - - Support for CentOS (Tested: 5 Final) - - Support for Debian (Tested: 4.0) - - Support for FreeBSD (Tested: 6.2) - - Support for Mac OS X (Tested: 10.4) - - Test: Apache (ServerTokens option) - - Test: PHP (expose_php option) - - Test: Postfix (smtpd_banner option) - - Test: check valid shells - - Test: query pkg_info/RPM based systems - - Test: query pkg_info for double installed packages - - Test: query chkprintcap (FreeBSD) - - Test: scan binary directories - - Test: check administrator accounts - - Test: check permissions /etc/motd - - Test: read nameservers from /etc/resolv.conf - - Test: query nameservers and test connectivity - - Test: check promiscuous interfaces (FreeBSD) - - Test: check sticky bit on /tmp directory - - Test: check debian.org security brance in /etc/apt/sources.list - - Test: check kernel update on Debian - - Test: query default Linux run level - - Test: query chkconfig to see which services start at boot - - Test /etc/COPYRIGHT banner check for FreeBSD - - Support for program parameters - - Builtin integrity checks - - Color enhanced output for readability - - Support for profiles/templates - - Report file creation (for reporting/monitoring) - - Extended logfile creation (with system suggestions) - - Added lynis.spec file for RPM creation - - Created project page at website - - Added documentation (README), ToDo list (TODO) - - Man page lynis(8) - - Changes: - - No changes - - Bugfixes: - - No bugfixes - - -========================================================================================== - Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com |