SLFO-pool/lynis
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lynis/lynis.changes

1041 lines
42 KiB
Plaintext
Raw Permalink Blame History

-------------------------------------------------------------------
Tue Jan 28 12:22:48 UTC 2025 - Robert Frohl <rfrohl@suse.com>
- Update to 3.1.4:
* Changed
- Update of translations: Portuguese
- Add macOS Sequoia
- Update of EOL database
- Bugfix for using slashes in parameters (SafeInput function)
- Simplified copyright line and meta data in files
- Support for powerpc64le in authentication section
- Don't show error "kadmin.local: unable to get default realm"
-------------------------------------------------------------------
Mon Dec 16 10:16:18 UTC 2024 - Robert Frohl <rfrohl@suse.com>
- Update to 3.1.3:
* Added
- Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS
- Support for blog posts and articles to enhance suggestions
* Changed
- BOOT-5264 - Changed output of systemd-analyze test and added link
- FILE-6398 - Test temporarily disabled as on modern kernels JDB support is built-in
- FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues
- KRNL-5622 - Test if systemctl binary is set
- Several improvements for busybox
- Update of translations: Italian, Russian, Spanish
-------------------------------------------------------------------
Thu Sep 26 15:14:10 UTC 2024 - Robert Frohl <rfrohl@suse.com>
- Update to 3.1.2:
* Added
- Detection of ALT Linux
- Detection of Athena OS
- Detection of Container-Optimized OS from Google
- Detection of Koozali SME Server
- Detection of Nobara Linux
- Detection of Open Source Media Center (OSMC)
- Detection of PostmarketOS
- CRYP-7932 - macOS FileVault encryption test
- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
- FINT-4344 - Wazuh system running state
- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
- File added: .editorconfig, which is used by editors to standardize formatting
* Changed
- Correction of software EOL database and inclusion of AIX entries
- Support sysctl value perf_event_paranoid -> 2|3
- Update of translations: German, Portuguest, Turkish
- Grammar and spell improvements
- Improved package detection on Alpine Linux
- Slackware support to check installed packges (functionPackageIsInstalled())
- Added words prosecute/report to LEGAL_BANNER_STRINGS
- Busybox support: Replace newer tr command syntax with older ascii specific operations
- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
- Updated PHP versions and removed PHP 5 (deprecated)
- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
- CONT-8104 - Checking for errors, not only warning in docker info output
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD
- FILE-6344 - Test kernel version (major/minor)
- INSE-8000 - Added inetd package and service name used in ubuntu 24.04
- KRNL-5622 - Use systemctl get-default instead of following link
- KRNL-5820 - Accept ulimit with -H parameter also
- LOGG-2144 - Check for wazuh-agent presence on Linux systems
- MACF-6234 - Test if semanage binary is available
- MALW-3200 - ESET Endpoint Antivirus added
- MALW-3280 - McAfee Antivirus for Linux deprecated
- MALW-3291 - Check if Microsoft Defender Antivirus is installe
- NETW-3200 - Added regex to allow both /bin/true as /bin/false
- PKGS-7303 - Added version numbers to brew packages
- PKGS-7370 - Cron job check for debsums improved
- PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error)
- PKGS-7410 - Added kernel name for Hardkernel odroid XU4
- update additional_module_blacklist_locations.patch
-------------------------------------------------------------------
Sun Mar 17 11:15:28 UTC 2024 - Robert Frohl <rfrohl@suse.com>
- Update to 3.1.1:
* Added
- Detection of ArcoLinux
* Changed
- DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf)
- DBS-1882 - Check /snap directory location for Redis configuration file
-------------------------------------------------------------------
Mon Mar 11 10:21:40 UTC 2024 - Robert Frohl <rfrohl@suse.com>
- Update to 3.1.0:
* Added
- Translation: Indonesian
* Changed
- MALW-3280 - Correction to detect com.avast.daemon
- OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP
LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky"
- Updated Amazon Linux EOL dates and addition of Amazon Linux 2023
- STATUS_NOT_ACTIVE variable added to translation files
- End-of-life dates updated
- Fixing missing or erroneous test number comments
- Detection of SentinelOne corrected
- Wazuh for file integrity and tooling
- Updated parsing output of arch-audit
- Added support for SentinelOne detection
- Replacing deprecated option -i for xargs
- Path detection for PostgreSQL improved
- Updated additional_module_blacklist_locations.patch
-------------------------------------------------------------------
Fri Mar 1 11:34:54 UTC 2024 - pgajdos@suse.com
- Use %patch -P N instead of deprecated %patchN.
-------------------------------------------------------------------
Sun Nov 12 09:54:02 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add missing gawk dependency
-------------------------------------------------------------------
Thu Aug 3 12:56:11 UTC 2023 - Robert Frohl <rfrohl@suse.com>
- Update to 3.0.9:
* Changed
- DBS-1820 - Added newer style format for Mongo authorization setting
- FILE-6410 - Locations added for plocate
- SSH-7408 - Only test Compression if sshd version < 7.4
- Improved fetching timestamp
- Minor changes such as typos
-------------------------------------------------------------------
Tue May 17 14:00:34 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- Update to 3.0.8:
* Added
- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
- PKGS-7346 Check Alpine Package Keeper (apk)
- PKGS-7395 Check Alpine upgradeable packages
- EOL for Alpine Linux 3.14 and 3.15
* Changed
- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
- FILE-7524 - Test enhanced to support symlinks
- HTTP-6643 - Support ModSecurity version 2 and 3
- KRNL-5788 - Only run relevant tests and improved logging
- KRNL-5820 - Additional path for security/limits.conf
- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
- KRNL-5830 - Add a presence check for /boot/vmlinuz
- PRNT-2308 - Bugfix that prevented test from storing values correctly
- Extended location of PAM files for AARCH64
- Some messages in log improved
- accepted upstream, removed additional_paths_security-limits.patch
-------------------------------------------------------------------
Fri Feb 4 10:08:03 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- cover /usr/etc/security/limits.conf too (boo#1194446)
added additional_paths_security-limits.patch
-------------------------------------------------------------------
Tue Jan 18 13:29:42 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- Update to 3.0.7:
* Added
- MALW-3290 - Show status of malware components
- OS detection for RHEL 6 and Funtoo Linux
- Added service manager openrc
* Changed
- DBS-1804 - Added alias for MariaDB
- FINT-4316 - Support for newer Ubuntu versions
- MALW-3280 - Added Trend Micro malware agent
- NETW-3200 - Allow unknown number of spaces in modprobe blacklists
- PKGS-7320 - Support for Garuda Linux and arch-audit
- Several improvements for busybox shell
- Russian translation of Lynis extended
- replace 0x429A566FD5B79251 with 0x9DE922F1C2FDE6C4 in lynis.keyring
according to https://packages.cisofy.com/
- update additional_module_blacklist_locations.patch
-------------------------------------------------------------------
Wed Oct 13 14:35:34 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Add additional_module_blacklist_locations.patch to check fo blacklisted
modules under /usr/lib/modules.d
-------------------------------------------------------------------
Mon Oct 11 06:45:59 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
- Update to 3.0.6:
* Added
- OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS
- Check for outdated translation files
* Changed
- DBS-1826 - Check if PostgreSQL is being used
- DBS-1828 - Test multiple PostgreSQL configuration file(s)
- KRNL-5830 - Sort kernels by version instead of modification date
- PKGS-7410 - Don't show exception for systems using LXC
- GetHostID function: fallback options added for Linux systems
- Fix: show correct text when egrep is missing
- Fix: variable name for PostgreSQL
-------------------------------------------------------------------
Thu Sep 16 08:59:23 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Changed tests_binary_rpath to subtract points for files found with RPATH set,
not add points for files that are configured correctly. This resulted in a
huge number of points that skewed the overal result
-------------------------------------------------------------------
Sat Jul 3 11:54:47 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
- fix SLE 12 build
-------------------------------------------------------------------
Fri Jul 2 12:56:40 UTC 2021 - Robert Frohl <rfrohl@suse.com>
- Update to 3.0.5
* Added
- OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux
- CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot
attacks (Linux)
* Changed
- ACCT-9622 - Corrected typo
- HRDN-7231 - When calling wc, use the short -l flag instead of --lines
(Busybox compatibility)
- PKGS-7320 - extended to Arch Linux 32
- Generation of host identifiers (hostid/hostid2) extended
- Linux host identifiers are now using ip as preferred input source
- Improved logging in several areas
-------------------------------------------------------------------
Tue May 11 12:43:28 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to 3.0.4
* Added
- ACCT-9670 - Detection of cmd tooling
- ACCT-9672 - Test cmd configuration file
- BOOT-5140 - Check for ELILO boot loader presence
- OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others
* Changed
- BOOT-5104 - Add service manager detection support for runit
- FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist
- FIRE-4540 - Corrected nftables empy ruleset test
- LOGG-2138 - Do not check for klogd when metalog is being used
- TIME-3185 - Improved support for Debian stretch
- Corrected issue when Lynis is not executed directly from lynis directory
-------------------------------------------------------------------
Thu Jan 7 16:38:00 UTC 2021 - Alexandros Toptsoglou <atoptsoglou@suse.com>
- Update to 3.0.3
* Added
- Check for registered non-native binary formats
- OS detection of Parrot GNU/Linux
* Changed
- Force test to check only password authentication
- Support for NetBSD
* Fixed: command 'configure settings' did not work as intended
-------------------------------------------------------------------
Mon Jan 4 09:13:29 UTC 2021 - Robert Frohl <rfrohl@suse.com>
- Update to 3.0.2
* Added
- Scan for locked user accounts in /etc/passwd
- Loghost configuration
- Check for active Suricata daemon
- OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS
- OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others
- EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11
- Support for Solaris svcs (service manager)
- Enumeration of Solaris services
* Changed
- Detect sysstat systemd unit
- Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined
- Support for Solaris
- Improved reboot test by ignoring known bad values
- Ignore rescue kernel such as on CentOS systems
- Detection of Alpine Linux kernel
- Compatibility change for hostname check
- Support for Solaris
- Don't show exception if no kernels were found on the disk
- Supports now checking files at multiple locations (systemd)
- ParseNginx function: Support include on absolute paths
- ParseNginx function: Ignore empty included wildcards
- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
- HostID: Use first e1000 interface and break after match
- Translations extended and updated
- Test if pgrep exists before using it
- Better support for busybox shell
- Small code enhancements
-------------------------------------------------------------------
Fri Nov 13 09:42:44 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
- Add a Requires for net-tools-deprecated, as legacy binary binaries
are still used by some of the custom lynis tests we ship. Later on
I'll port them to use current binaries and remove this again
-------------------------------------------------------------------
Mon Oct 5 13:50:24 UTC 2020 - Robert Frohl <rfrohl@suse.com>
- Update to 3.0.1
* Added
- Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux
- Detection of Linux Mint
- Detection of macOS Big Sur (11.0)
- Detection of Pop!_OS
- Detection of PHP 7.4
- Malware detection tool: Microsoft Defender ATP
- New flag: --slow-warning to allow tests more time before showing a warning
- Test TIME-3185 to check systemd-timesyncd synchronized time
- rsh host file permissions
* Changed
- Added option for LOCKED accounts and bugfix for older bash versions
- Presence check for grub.d added
- Added support for certificates in DER format
- Added data to report
- Redirect errors (e.g. when swap is not encrypted)
- Don't grep nonexistant modprobe.d files
- Set initial firewall state
- Corrected text on screen
- Handle zipped kernel configuration correctly
- Improved version detection for non-symlinked kernel
- Extended detection of BitDefender
- Find more time synchronization commands
- Corrected detection of time peers
- Fix: hostid generation routine would sometimes show too short IDs
- Fix: language detection
- Generic improvements for macOS
- German translation updated
- End-of-life database updated
-------------------------------------------------------------------
Thu Jun 18 12:17:36 UTC 2020 - Robert Frohl <rfrohl@suse.com>
- Update to 3.0.0
* Security issues
- CVE-2020-13882: incorrect Access Control because of a TOCTOU race condition (boo#1173141).
- CVE-2019-13033: local disclosure of license key when data is uploaded (boo#1173142).
* Breaking change: Non-interactive by default
- Lynis now runs non-interactive by default, to be more in line with the Unix
philosophy. So the previously used '--quick' option is now default, and the tool
will only wait when using the '--wait' option.
* Breaking change: Deprecated options
- Option: -c
- Option: --check-update/--info
- Option: --dump-options
- Option: --license-key
* Breaking change: Profile options
- The format of all profile options are converted (from key:value to key=value).
You may have to update the changes you made in your custom.prf.
* Security
- An important focus area for this release is on security. We added several
measures to further tighten any possible misuse.
* New: DevOps, Forensics, and pentesting mode
- This release adds initial support to allow defining a specialized type of audit
Using the relevant options, the scan will change base on the intended goal.
- Further features, bug fixes and details about the release listed in
https://raw.githubusercontent.com/CISOfy/lynis/3.0.0/CHANGELOG.md
-------------------------------------------------------------------
Tue Jun 25 07:32:29 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- Update to 2.7.5
Added:
* Danish translation
* Slackware end-of-life information
* Detect BSD-style (rc.d) init in Linux systems
* Detection of Bro and Suricata (IDS)
Changed:
* Corrected end-of-life entries for CentOS 5 and 6
* Change name to check in /etc/passwd file for QNAP devices
* AIX enhancement to use correct find statement
* Filter on correct field for AIX
* Set ss command as preferred option for Linux and changed output format
* List of PHP ini file locations has been extended
* Removed several pieces of the code as part of cleanup and code health
* Extended help
-------------------------------------------------------------------
Mon Jun 3 11:20:11 UTC 2019 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
- Add more false-positive packages to Dbus database: tuned, autofs, lightdm, geoglue2, snapper and ModemManager
-------------------------------------------------------------------
Wed May 29 11:47:34 UTC 2019 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
- Add these common false-positive packages to Dbus database whitelist: FirewallD, SystemD and Wicked
-------------------------------------------------------------------
Tue Apr 23 07:24:21 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- Update to 2.7.4
Added
* FILE-6324 - Discover XFS mount points
* INSE-8000 - Installed inetd package
* INSE-8100 - Installed xinetd package
* INSE-8102 - Status of xinet daemon
* INSE-8104 - xinetd configuration file
* INSE-8106 - xinetd configuration for inactive daemon
* INSE-8200 - Usage of TCP wrappers
* INSE-8300 - Presence of rsh client
* INSE-8302 - Presence of rsh server
* Detect equery binary detection
* New 'generate' command
Changed
* AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
* PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
* PKGS-7420 - Detect toolkit to automatically download and apply upgrades
* PKGS-7328 - Added global Zypper option --non-interactive
* PKGS-7386 - Only show warning when vulnerable packages were discovered
* PKGS-7392 - Skip test for Zypper-based systems
* Minor changes to improve text output, test descriptions, and logging
* Changed CentOS identifiers in end-of-life database
* AIX enhancement for IsRunning function
* Extended PackageIsInstalled function
* Improve text output on AIX systems
* Corrected lsvg binary detection
-------------------------------------------------------------------
Thu Mar 21 12:11:32 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- update to 2.7.3
Added
* Detection for Lynis being scheduled (e.g. cronjob)
Changed
* HTTP-6624 - Improved logging for test
* KRNL-5820 - Changed color for default fs.suid_dumpable value
* LOGG-2154 - Adjusted test to search in configuration file correctly
* NETW-3015 - Added support for ip binary
* SQD-3610 - Description of test changed
* SQD-3613 - Corrected description in code
* SSH-7408 - Increased values for MaxAuthRetries
* Improvements to allow tailored tool tips in future
* Corrected detection of blkid binary
* Minor textual changes and cleanups
-------------------------------------------------------------------
Thu Mar 7 11:54:18 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- update to 2.7.2
* Added support for doas (OpenBSD)
* Added test file permissions of doas configuration
* Added support for systemd-boot boot loader
* Added simplify service filter and allow multiple dots in service names
* Added check OpenBSD boot daemons
* Added test permissions for boot files and scripts
* Added support for end-of-life detection of the operating system
* Added new 'lynis show eol' command
* Multiple changes and improvements
-------------------------------------------------------------------
Fri Feb 1 10:28:13 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- update to 2.7.1
* Improve support for Red Hat and clones
* Additional support for Hands Off!, LuLu, and Radio Silence
* Added MariaDB filter for deleted files (tested on CentOS)
* Added /etc/bash.bashrc.local to umask check
* Removed shift statement that did not work on all operating systems
* Minor cleanups and enhancements
* Small improvements to logging
* Added translation for Slovak
-------------------------------------------------------------------
Sat Oct 27 02:36:44 UTC 2018 - sean@suspend.net
- update to 2.7.0
* added detection of TOMOYO binary (MACF-6240)
* Status of TOMOYO framework updated (MACF-6242)
* OpenSSH server version detected (SSH-7406)
* Check active OSSEC analysis daemon (TOOL-5160)
* Changed several warning labels on screen
* More generic sulogin for systemd rescue (AUTH-9308)
* OS detection now ignores quotes for getting the OS ID
-------------------------------------------------------------------
Tue Oct 9 08:20:47 UTC 2018 - Robert Frohl <rfrohl@suse.com>
- update to 2.6.9
* Man page has been updated
* Command 'lynis show options' provides up-to-date list
* Option '--dump-options' is deprecated
* Several options and commands have been extended with more examples
* OS detection now supports openSUSE specific distribution names
* Changed command output when using 'lynis audit system remote'
* added /usr/local/redis/etc path and QNAP support
* ignore exception when no vmlinuz file was discovered
-------------------------------------------------------------------
Thu Sep 20 13:04:11 UTC 2018 - astieger@suse.com
- update to 2.6.8:
* improved parsing of boot parameters to init process
* test all PHP files for expose_php and improved logging
* Docker check now tests also for CMD, ENTRYPOINT, and USER configuration
* Improved display in Docker output for showing which keys are used for signing
- includes changes from 2.6.7:
* Added busybox as a service manager
* Limit PAE and no-execute test to AMD64 hardware only
* Ignore /dev/zero and /dev/[aio] as deleted files
* Changed classification of SSH root login with keys
* Docker scan uses new format for maintainer value
- includes chagnes from 2.6.6:
* Improved log text about running kernel version
* Under some condition no hostid2 value was reported
* Solved 'extra operand' issue with tr command
-------------------------------------------------------------------
Wed Jun 27 08:42:31 UTC 2018 - astieger@suse.com
- update to 2.6.5:
* mail: Exim configuration test
* network: Use FQDN to test status of a nameserver instead of own IP address
* ssh: Improved test to allow configurations with a Match block
- includes changes from 2.6.4:
* auth: Made 'sulogin' more generic for systemd rescue shell
* dns: Initial work on DNSSEC validation testing
* network: Added support for local resolver 127.0.0.53
* php: Suhosin test disbled
* ssh: Removed 'DELAYED' from OpenSSH Compression setting
* time: Improvements to detect step-tickers file and entries
- includes changes from 2.6.3:
* crypt: Do prevalidation for certificates before testing them
* hardening: Enhanced compiler permission test
* name: Improved test to filter out empty lines
* packages: changes to detect yum-utils package and related tooling
* plugins: cron file permissions
- includes changes from 2.6.2:
* Textual changes for several tests
* Update of tests database
-------------------------------------------------------------------
Fri Jan 26 17:00:07 UTC 2018 - astieger@suse.com
- update to 2.6.1:
* New group 'usb' for tests related to USB devices
* Updated and enhanced tests
* Many bug fixes
* output and UI fixes
-------------------------------------------------------------------
Thu Jun 8 19:36:22 UTC 2017 - astieger@suse.com
- Lynis 2.5.1:
* Improved detection of SSL certificate files
* Minor changes to improve logging and results
* Firewall tests: Determine if CSF is in testing mode
- includes changes from Lynis 2.5.0:
* CVE-2017-8108: symlink attack may have allowed arbitrary file
overwrite or privilege escalation (bsc#1043463)
* Deleted unused tests from database file
* Additional sysctls are tested
* Extended test with Symantec components
* Snort detection
* Snort configuration file
-------------------------------------------------------------------
Tue Apr 4 09:35:48 UTC 2017 - tuukka.pasanen@ilmi.fi
- Lynis 2.4.8 (Changelog from 2.4.1)
* More PHP paths added
* Minor changes to text
* Show atomic test in report
* Added FileInstalledByPackage function (dpkg and rpm supported)
* Mark Arch Linux version as rolling release (instead of unknown)
* Support for Manjaro Linux
* Escape files when testing if they are readable
* Code cleanups
* Allow host alias to be specified in profile
* Code readability enhancements
* Solaris support has been improved
* Fix for upload function to be used from profile
* Reduce screen output for mail section, unless --verbose is used
* Code cleanups and removed 'update release' command
* Colored output can now be tuned with profile (colors=yes/no)
* Allow data upload to be set as a profile option
* Properly detect SSH daemon version
* Generic code improvements
* Improved the update check and display
* Finish, Portuguese, and Turkish translation
* Extended support and tests for DragonFlyBSD
* Option to configure hostid and hostid2 in profile
* Support for Trend Micro and Cylance (macOS)
* Remove comments at end of nginx configuration
* Used machine ID to create host ID when no SSH keys are available
* Added detection of iptables-save to binaries
Tests:
BANN-7126 - Added more words to test for
CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler
HTTP-6641 - Support detection for Apache module mod_reqtimeout
PKGS-7388 - Minor change to detect security repositories
CRYP-7902 - Test more certificates names, but only if they are not part of a package
FILE-7524 - Reduce standard screen output for file permissions check
MALW-3280 - Added Avira detection as a malware scanner
NAME-4018 - Only perform name services test when resolv.conf file exists
PKGS-7387 - Check all repositories if they use GPG signing
SCHD-7704 - Permission checks
TIME-3104 - Check permissions before open files
AUTH-9328 - Add missing 0027 and 0077 umasks
BOOT-5104 - Add initsplash and minor code enhancements
DBS-1882 - Include Redis configuration file
FIRE-4502 - Improved detection for iptables modules when using OpenVZ
PKGS-7381 - Enhanced package audit for FreeBSD
AUTH-9308 - Improved test for sulogin string (Debian systems)
FILE-6372 - Properly deal with comment on lines in /etc/fstab
MAIL-8817 - New test to check Postfix configuration for errors
SSH-7408 - Corrected SSH check
AUTH-9308 - Improved test for sulogin string
MAIL-8818 - Test if Linux version is known before comparing in Postfix banner
TIME-3116 - Skip stratum 16 items for time pools
TIME-3148 - New test to detect TZ variable
AUTH-9208 - Removed double logging
AUTH-9222 - Improve logging for double groups
AUTH-9226 - Improve logging for double groups
BOOT-5177 - Sort systemctl unit files to make them unique
DBS-1818 - New test to detect MongoDB
DBS-1820 - New test for MongoDB authentication
FIRE-4512 - Lowered minimum number of iptables firewall rules
FIRE-4586 - Fix applied when searching for "-j LOG"
HRDN-7222 - Changed reporting key of world executable compilers
SSH-7408 - Added filtering for PermitRootLogin (prohibit-password, OpenSSH 7.0)
FIRE-4586 - Check logging for firewall components
KRNL-5788 - Remove exception and style improvements
KRNL-5830 - Improved logging
-------------------------------------------------------------------
Fri Nov 4 13:41:25 UTC 2016 - matthias.gerstner@suse.com
- lynis 2.4.0
* Mainly improved support for macOS users
* Support for CoreOS
* Support for clamconf utility
* Support for chinese translation
* More sysctl values in the default profile
* New commands: "upload-only", "show hostids", "show environment", "show os"
-------------------------------------------------------------------
Wed Sep 28 11:45:44 UTC 2016 - astieger@suse.com
- lynis 2.3.4 with various improvements, including:
* Several tests have extended log details
* Detection of nftables improved
* Replaced cut, sed, tr and others commands with binary variable
(for forensics and future intrusion checking capabilities)
* OS detection improved
-------------------------------------------------------------------
Thu Sep 15 14:44:27 UTC 2016 - astieger@suse.com
- lynis 2.3.3 with many improvements and updates
-------------------------------------------------------------------
Thu May 12 08:32:25 UTC 2016 - astieger@suse.com
- lynis 2.2.0:
* new features and tests, small enhancements
* optimisation, better detection
* dealing with OS quirks and unexcepted results
* adjustments for supporting more compliance in-depth
* Detection for CFEngine has been improved
* now tries to determine if failed logins are properly logged
* New plugin is introduced to analyze PAM settings
* Initial support to test UEFI settings, including Secure Boot option.
* Support added for Unbound DNS caching tool, configuration check
* Record if a name caching utility is being used like nscd or Unbound.
* Tests chains of iptables and their default policy (ACCEPT or DROP)
* Support upcoming nftables technology (status check)
* Test added to include osqueryd as a supported tool.
* Detection of firewire is enhanced (both ohci and core detected).
* Extended the test syslog-ng logging to remote systems.
* ESET and LMD (Linux Malware Detect) have been added.
* Discovered malware scanners are also logged to the report.
* Eexpanded test for multiple common mount points and define best
practice mount flags.
* Best practices for IPv6 configuration on Linux are now collected.
* Collect network interface names from most operating systems.
* Password change test has been extended to both capture minimum and password age.
* Add Proxu support
* SystemV init is now detected.
* Now information will be logged when vulnerable software packages were found.
* Support for DNF (Dandified YUM) for Fedora systems has been added.
* Multiple configuration tests of SSH merged.
* Extend detection of virtual machines (VMware tools)
* Machine state detection with Puppet, Facter, dmidecode, and lscpu
* When using pentest mode, it will continue without any delays (=quick mode).
* Improvements for automatic execution of Lynis
* Upload improvements
-------------------------------------------------------------------
Wed Jul 29 11:05:22 UTC 2015 - astieger@suse.com
- lynis 2.1.1:
* performance improvements
* additional support for Linux distributions and external utilities
* Apache module directory /usr/lib64/apache has been added, which
is used on openSUSE.
* various other improvements and bug fixes
- update patches for contect changes:
lynis_1.3.1_include_consts.diff, lynis_1.3.5_lynis.diff
-------------------------------------------------------------------
Tue May 12 15:19:07 UTC 2015 - astieger@suse.com
- lynis 2.1.0:
* Screen output has been improved to provide additional information.
* Core dump check on Linux is extended to check for actual values as well.
* Software:
+ McAfee detection has been extended by detecting a running cma binary.
+ Security patch checking with zypper extended.
* Session timeout:
+ Tests to determine shell time out setting have been extended
+ determine also if variable is exported as a readonly variable.
+ Related compliance section PCI DSS 8.1.8 has been extended.
- includes changes from Lynis 2.0.0:
* New feature: helpers
* docker build file audit helper
* Improved OS support
* support systemd, docker, nftables
* New parameters:
+ --dump-options (see all options)
+ --report-file (define a different location for the report file)
- use tarball supplied default.prf
- clean or silence rpmlint warnings
-------------------------------------------------------------------
Tue Feb 17 12:32:20 UTC 2015 - astieger@suse.com
- lynis 1.6.4:
* New:
+ Boot loader detection for AIX
+ Detection of getcap and lsvg binary
+ Added filesystem_ext to report
+ Detect rootsh
* Changes:
+ Hide errors when RPM database is faulty and show suggestion instead
+ Allow OpenBSD to gather information on listening network ports
+ Don't trigger warning for Shellshock when doing segfault test
+ Do not run Apache test on OpenBSD and strip control chars
+ Extended AIDE test with configuration validation test
+ Improved Shellshock test regarding non-Linux support
+ Added support for gathering volume groups on AIX
+ Properly parse PAM lines and add them to report
+ Support for boot loader detection on OpenBSD
+ Added uptime detection for OpenBSD systems
+ Support for volume groups on AIX
+ Redirect errors when searching for readlink binary
- includes changes from 1.6.3:
* New:
+ Added tests for Shellshock bash vulnerability
+ Added test to determine if Snoopy is used
+ New test for qdaemon configuration file
+ Test for GRUB boot loader password
+ New test for qdaemon printer jobs
+ Added ClamXav test for Mac OS X
+ Gentoo vulnerable packages test
+ New test for qdaemon status
+ Gentoo package listing
+ Running Lynis without root permissions will start non-privileged scan
+ Systemd service and timer example file added
+ Added grub2-install to binaries
* Changes:
+ Adjustments so insecure SSL protocols are detected in nginx config
+ Directories will be skipped when searching for nginx log files
+ Only gather unique name servers from /etc/resolv.conf
+ Properly detect mod_evasive on Gentoo and others
+ Improved swap partition detection in /etc/fstab
+ Improvements to kernel detection (e.g. Gentoo)
+ Test for built-in security options in YUM
+ Improved boot loader detection for GRUB2
+ Split GRUB test into two tests
+ Added Mac OS uptime check
+ Improved GetHostID function for systems having only ip binary
+ Improved testing for symlinked binary directories
+ Minor adjustments to log output
+ Renamed dev directory to extras
- verify source signature
- adjust permissions of items in /usr/share/lynis/include/consts
to match those requested by main executable
- run spec_cleaner
-------------------------------------------------------------------
Sun Nov 16 00:39:00 UTC 2014 - Led <ledest@gmail.com>
- fix bashisms in scripts
-------------------------------------------------------------------
Wed Sep 24 16:36:21 UTC 2014 - citypw@gmail.com
- Upgrade to version 1.6.2
- Remove files:
* lynis_1.3.7_include-test-filesystem.diff( already fixed)
* lynis-1.3.9.tar.gz
-------------------------------------------------------------------
Thu Jan 9 18:45:44 UTC 2014 - saigkill@opensuse.org
- updated to version 1.3.9
- removed patch
* lynis_1.3.6_include-test-kernel.diff (fixed upstream)
-------------------------------------------------------------------
Wed Dec 11 20:14:06 UTC 2013 - saigkill@opensuse.org
- updated to version 1.3.7
- Changelog:
* FileExists() and SearchItem() functions were added. The yum-security
check and iptables binary check were improved, and the report was
extended to show which tests have been executed or skipped
- updated patch
* lynis_1.3.7_include-test-filesystem.diff
-------------------------------------------------------------------
Tue Dec 10 18:46:14 UTC 2013 - saigkill@opensuse.org
- updated to version 1.3.6
- Removed patches (obsolete):
* lynis_1.3.5_include_binaries.diff
- Updated patches
* lynis_1.3.6_include_osdetection.diff
* lynis_1.3.6_include-test-kernel.diff
-------------------------------------------------------------------
Sun Nov 24 14:29:06 UTC 2013 - saigkill@opensuse.org
- updated to version 1.3.5
- Updated patches:
o lynis_1.3.1_lynis.diff
o lynis_1.3.1_include_binaries.diff
o lynis_1.3.1_include-osdetection.diff
o lynis_1.3.1_include-test-kernel.diff
- Removed patches (obsolete)
o lynis_1.3.1_include-test-databases.diff
o lynis_1.3.1_include-test-storage.diff
o lynis_1.3.1_include-test-homedirs.diff
-------------------------------------------------------------------
Fri Jun 21 12:22:08 UTC 2013 - thomas@suse.com
- fixed typo in prepare_for_suse.sh
-------------------------------------------------------------------
Fri Jan 25 09:40:52 UTC 2013 - thomas@suse.com
- fixed log message for dbus test
- fixed bash variable incrementation that sneaked in the code
-------------------------------------------------------------------
Mon Jan 14 14:57:15 UTC 2013 - thomas@suse.com
- fixed tests_network_allowed_ports to increment index vars
and not loop forever
-------------------------------------------------------------------
Thu Jan 10 16:53:32 UTC 2013 - thomas@suse.com
- fixed test_homedirs
-------------------------------------------------------------------
Thu Jan 10 16:46:02 UTC 2013 - thomas@suse.com
- some bugfixing for pathnames, didn't work with sudo
- improved default.prf by adding more sysctl vars
- fixed test_storage
- generated fileperm.db and dbus-whitelist for 12.2
-------------------------------------------------------------------
Mon Dec 26 16:24:35 UTC 2011 - Sascha.Manns@open-slx.de
- fixed conflict in spec
-------------------------------------------------------------------
Mon Dec 26 16:18:01 UTC 2011 - Sascha.Manns@open-slx.de
- updated to version 1.3.0
- from Changelog:
- New:
- Profile option: ignore_home_dir
- TCP wrappers category added
- Tooling category added
- Initial extensions to support plugins in the future
- Test for unpurged Debian packages [PKGS-7346]
- Test for compiler permissions [HRDN-7222]
- Changes:
- Converted all dates to ISO format and updated copyright lines
- Correct suggestion for file integrity tool [FINT-4350]
- Added hint when RPM list is empty on DPKG based systems [PKGS-7308]
- Changed logging for /etc/security/limits.conf file [KRNL-5820]
- Fixed incorrect warning for single user mode [AUTH-9308]
- Improved output for stratum 16 time servers [TIME-3116]
- Added suggestion and screen output for kernel hardening [KRNL-6000]
- Screen layout optimalizations and log file improvements
- Improved list/layout of scan options
- Improved binary check for compilers
- Added configuration option in scan profile (show_tool_tips, default
true)
-------------------------------------------------------------------
Thu Apr 7 15:57:31 UTC 2011 - thomas@novell.com
- added patch for apache2 and oracle detection
-------------------------------------------------------------------
Fri Apr 1 22:00:13 UTC 2011 - saigkill@opensuse.org
- removed rpmlintrc and fixed non-executable-script
-------------------------------------------------------------------
Sun Dec 26 19:55:21 UTC 2010 - saigkill@opensuse.org
- prettyfied spec file
- NOTE: Please submit submitrequests to home:saigkill. This Package links to this Repository.
-------------------------------------------------------------------
Fri Sep 3 05:41:52 UTC 2010 - thomas@novell.com
- fixed %files section to include /etc/lynis
-------------------------------------------------------------------
Fri Sep 3 05:12:43 UTC 2010 - thomas@novell.com
- fixed %files section to reflect new default.prf location
-------------------------------------------------------------------
Fri Sep 3 05:09:47 UTC 2010 - thomas@novell.com
- added permdir /root/.gnupg to default.prf
-------------------------------------------------------------------
Fri Sep 3 05:04:03 UTC 2010 - thomas@novell.com
- copy default.prf to /etc/lynis/ instead of /etc/, otherwise
lynis will not find it and hang
-------------------------------------------------------------------
Thu Sep 2 11:32:50 UTC 2010 - thomas@novell.com
- added %{_datadir}/%{name}/prepare_for_suse.sh
-------------------------------------------------------------------
Thu Sep 2 10:56:55 UTC 2010 - thomas@novell.com
- adjusted patch and spec file to make it build
-------------------------------------------------------------------
Wed Sep 1 12:30:43 UTC 2010 - thomas@novell.com
- put code from Matthias Weckbecker sec_check into lynis
- adjusted lynis for opensuse
- details:
+ tests_tmp_symlinks
+ tests_network_allowed_ports
+ tests_system_proc
+ tests_file_permissions_ww
+ tests_binary_rpath
+ tests_users_wo_password
+ tests_file_permissionsDB
+ tests_system_dbus
-------------------------------------------------------------------
Wed Dec 16 05:19:37 UTC 2009 - saigkill@opensuse.org
- updated to version 1.2.9
- added default.prf
-------------------------------------------------------------------
Wed Dec 9 16:21:53 UTC 2009 - saigkill@opensuse.org
- update to 1.2.8
-------------------------------------------------------------------
Mon Nov 2 18:16:38 UTC 2009 - saigkill@opensuse.org
- update to 1.2.7
- This release adds AIX Support and several new tests related to SSH, logging, databases and SMTP. Many minor issues are solved or improved.
-----------------------------------------------------------------
Mon Apr 6 09:04:05 CEST 2009 - saigkill@opensuse.org
- update to 1.2.6
- This release has several new tests and test improvements, like a sudoers
file permissions check, a core dumps configuration check for Linux, PHP
tests, and an /etc/issue banner test.
-----------------------------------------------------------------
Sat Mar 28 10:27:12 CET 2009 - saigkill@opensuse.org
- update to 1.2.5
- This release adds 40+ new tests for services like Dovecot,
BIND, PowerDNS, SSH, Exim, and nginx
-----------------------------------------------------------------
Tue Mar 17 2009 20:32 CET - mrdocs@opensuse.org
- added 1.2.4 release
- This release adds more than 30 new tests,
including NTP, auditd, PAM, NFS and ClamAV.
------------------------------------------------------------------
Mon Mar 02 22:32 CET 2009 - mrdocs@opensuse.org
- 1.2.3 release see CHANGELOG for changes
-------------------------------------------------------------------
Thu Feb 26 14:16:35 CET 2009 - pgajdos@suse.cz
- removed patches:
- passwd-args.patch
- suppress-dpkg-error.patch
- source repacked gz -> bz2
-------------------------------------------------------------------
Sun Feb 17 2009 - mrdocs@opensuse.org
- 1.2.2 release - see CHANGELOG for changes
------------------------------------------------------------------
Mon Feb 16 03:15:44 CET 2009 - saigkill@opensuse.org
- updated to Version 1.2.2
------------------------------------------------------------------
Wed Jan 07 12:00:00 CET 2009 - saigkill@opensuse.org
- fixed Rpmlint Errors
- branched for Contrib
------------------------------------------------------------------
Wed Nov 10 12:00:00 CET 2008 - saigkill@opensuse.org
- initial version using the buildservice
Reference in New Issue View Git Blame Copy Permalink