Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
home:Hoog
lynis
lynis.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File lynis.changes of Package lynis
------------------------------------------------------------------- Thu Sep 26 15:14:10 UTC 2024 - Robert Frohl <rfrohl@suse.com> - Update to 3.1.2: * Added - Detection of ALT Linux - Detection of Athena OS - Detection of Container-Optimized OS from Google - Detection of Koozali SME Server - Detection of Nobara Linux - Detection of Open Source Media Center (OSMC) - Detection of PostmarketOS - CRYP-7932 - macOS FileVault encryption test - FILE-6398 - Check if JBD (Journal Block Device) driver is loaded - FINT-4344 - Wazuh system running state - PKGS-7305 - Query macOS Apps in /Applications and CoreServices - File added: .editorconfig, which is used by editors to standardize formatting * Changed - Correction of software EOL database and inclusion of AIX entries - Support sysctl value perf_event_paranoid -> 2|3 - Update of translations: German, Portuguest, Turkish - Grammar and spell improvements - Improved package detection on Alpine Linux - Slackware support to check installed packges (functionPackageIsInstalled()) - Added words prosecute/report to LEGAL_BANNER_STRINGS - Busybox support: Replace newer tr command syntax with older ascii specific operations - Added Wazuh as a malware scanner/antivirus and rootkit detection tool - Updated PHP versions and removed PHP 5 (deprecated) - AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) - CONT-8104 - Checking for errors, not only warning in docker info output - DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD - FILE-6344 - Test kernel version (major/minor) - INSE-8000 - Added inetd package and service name used in ubuntu 24.04 - KRNL-5622 - Use systemctl get-default instead of following link - KRNL-5820 - Accept ulimit with -H parameter also - LOGG-2144 - Check for wazuh-agent presence on Linux systems - MACF-6234 - Test if semanage binary is available - MALW-3200 - ESET Endpoint Antivirus added - MALW-3280 - McAfee Antivirus for Linux deprecated - MALW-3291 - Check if Microsoft Defender Antivirus is installe - NETW-3200 - Added regex to allow both /bin/true as /bin/false - PKGS-7303 - Added version numbers to brew packages - PKGS-7370 - Cron job check for debsums improved - PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error) - PKGS-7410 - Added kernel name for Hardkernel odroid XU4 - update additional_module_blacklist_locations.patch ------------------------------------------------------------------- Sun Mar 17 11:15:28 UTC 2024 - Robert Frohl <rfrohl@suse.com> - Update to 3.1.1: * Added - Detection of ArcoLinux * Changed - DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf) - DBS-1882 - Check /snap directory location for Redis configuration file ------------------------------------------------------------------- Mon Mar 11 10:21:40 UTC 2024 - Robert Frohl <rfrohl@suse.com> - Update to 3.1.0: * Added - Translation: Indonesian * Changed - MALW-3280 - Correction to detect com.avast.daemon - OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky" - Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 - STATUS_NOT_ACTIVE variable added to translation files - End-of-life dates updated - Fixing missing or erroneous test number comments - Detection of SentinelOne corrected - Wazuh for file integrity and tooling - Updated parsing output of arch-audit - Added support for SentinelOne detection - Replacing deprecated option -i for xargs - Path detection for PostgreSQL improved - Updated additional_module_blacklist_locations.patch ------------------------------------------------------------------- Fri Mar 1 11:34:54 UTC 2024 - pgajdos@suse.com - Use %patch -P N instead of deprecated %patchN. ------------------------------------------------------------------- Sun Nov 12 09:54:02 UTC 2023 - Dirk Müller <dmueller@suse.com> - add missing gawk dependency ------------------------------------------------------------------- Thu Aug 3 12:56:11 UTC 2023 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.9: * Changed - DBS-1820 - Added newer style format for Mongo authorization setting - FILE-6410 - Locations added for plocate - SSH-7408 - Only test Compression if sshd version < 7.4 - Improved fetching timestamp - Minor changes such as typos ------------------------------------------------------------------- Tue May 17 14:00:34 UTC 2022 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.8: * Added - MALW-3274 - Detect McAfee VirusScan Command Line Scanner - PKGS-7346 Check Alpine Package Keeper (apk) - PKGS-7395 Check Alpine upgradeable packages - EOL for Alpine Linux 3.14 and 3.15 * Changed - AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2) - FILE-7524 - Test enhanced to support symlinks - HTTP-6643 - Support ModSecurity version 2 and 3 - KRNL-5788 - Only run relevant tests and improved logging - KRNL-5820 - Additional path for security/limits.conf - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) - KRNL-5830 - Add a presence check for /boot/vmlinuz - PRNT-2308 - Bugfix that prevented test from storing values correctly - Extended location of PAM files for AARCH64 - Some messages in log improved - accepted upstream, removed additional_paths_security-limits.patch ------------------------------------------------------------------- Fri Feb 4 10:08:03 UTC 2022 - Robert Frohl <rfrohl@suse.com> - cover /usr/etc/security/limits.conf too (boo#1194446) added additional_paths_security-limits.patch ------------------------------------------------------------------- Tue Jan 18 13:29:42 UTC 2022 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.7: * Added - MALW-3290 - Show status of malware components - OS detection for RHEL 6 and Funtoo Linux - Added service manager openrc * Changed - DBS-1804 - Added alias for MariaDB - FINT-4316 - Support for newer Ubuntu versions - MALW-3280 - Added Trend Micro malware agent - NETW-3200 - Allow unknown number of spaces in modprobe blacklists - PKGS-7320 - Support for Garuda Linux and arch-audit - Several improvements for busybox shell - Russian translation of Lynis extended - replace 0x429A566FD5B79251 with 0x9DE922F1C2FDE6C4 in lynis.keyring according to https://packages.cisofy.com/ - update additional_module_blacklist_locations.patch ------------------------------------------------------------------- Wed Oct 13 14:35:34 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Add additional_module_blacklist_locations.patch to check fo blacklisted modules under /usr/lib/modules.d ------------------------------------------------------------------- Mon Oct 11 06:45:59 UTC 2021 - Paolo Stivanin <info@paolostivanin.com> - Update to 3.0.6: * Added - OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS - Check for outdated translation files * Changed - DBS-1826 - Check if PostgreSQL is being used - DBS-1828 - Test multiple PostgreSQL configuration file(s) - KRNL-5830 - Sort kernels by version instead of modification date - PKGS-7410 - Don't show exception for systems using LXC - GetHostID function: fallback options added for Linux systems - Fix: show correct text when egrep is missing - Fix: variable name for PostgreSQL ------------------------------------------------------------------- Thu Sep 16 08:59:23 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Changed tests_binary_rpath to subtract points for files found with RPATH set, not add points for files that are configured correctly. This resulted in a huge number of points that skewed the overal result ------------------------------------------------------------------- Sat Jul 3 11:54:47 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - fix SLE 12 build ------------------------------------------------------------------- Fri Jul 2 12:56:40 UTC 2021 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.5 * Added - OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux - CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot attacks (Linux) * Changed - ACCT-9622 - Corrected typo - HRDN-7231 - When calling wc, use the short -l flag instead of --lines (Busybox compatibility) - PKGS-7320 - extended to Arch Linux 32 - Generation of host identifiers (hostid/hostid2) extended - Linux host identifiers are now using ip as preferred input source - Improved logging in several areas ------------------------------------------------------------------- Tue May 11 12:43:28 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Update to 3.0.4 * Added - ACCT-9670 - Detection of cmd tooling - ACCT-9672 - Test cmd configuration file - BOOT-5140 - Check for ELILO boot loader presence - OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others * Changed - BOOT-5104 - Add service manager detection support for runit - FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist - FIRE-4540 - Corrected nftables empy ruleset test - LOGG-2138 - Do not check for klogd when metalog is being used - TIME-3185 - Improved support for Debian stretch - Corrected issue when Lynis is not executed directly from lynis directory ------------------------------------------------------------------- Thu Jan 7 16:38:00 UTC 2021 - Alexandros Toptsoglou <atoptsoglou@suse.com> - Update to 3.0.3 * Added - Check for registered non-native binary formats - OS detection of Parrot GNU/Linux * Changed - Force test to check only password authentication - Support for NetBSD * Fixed: command 'configure settings' did not work as intended ------------------------------------------------------------------- Mon Jan 4 09:13:29 UTC 2021 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.2 * Added - Scan for locked user accounts in /etc/passwd - Loghost configuration - Check for active Suricata daemon - OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS - OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others - EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11 - Support for Solaris svcs (service manager) - Enumeration of Solaris services * Changed - Detect sysstat systemd unit - Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined - Support for Solaris - Improved reboot test by ignoring known bad values - Ignore rescue kernel such as on CentOS systems - Detection of Alpine Linux kernel - Compatibility change for hostname check - Support for Solaris - Don't show exception if no kernels were found on the disk - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux - HostID: Use first e1000 interface and break after match - Translations extended and updated - Test if pgrep exists before using it - Better support for busybox shell - Small code enhancements ------------------------------------------------------------------- Fri Nov 13 09:42:44 UTC 2020 - Johannes Segitz <jsegitz@suse.com> - Add a Requires for net-tools-deprecated, as legacy binary binaries are still used by some of the custom lynis tests we ship. Later on I'll port them to use current binaries and remove this again ------------------------------------------------------------------- Mon Oct 5 13:50:24 UTC 2020 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.1 * Added - Detection of Alpine Linux - Detection of CloudLinux - Detection of Kali Linux - Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS - Detection of PHP 7.4 - Malware detection tool: Microsoft Defender ATP - New flag: --slow-warning to allow tests more time before showing a warning - Test TIME-3185 to check systemd-timesyncd synchronized time - rsh host file permissions * Changed - Added option for LOCKED accounts and bugfix for older bash versions - Presence check for grub.d added - Added support for certificates in DER format - Added data to report - Redirect errors (e.g. when swap is not encrypted) - Don't grep nonexistant modprobe.d files - Set initial firewall state - Corrected text on screen - Handle zipped kernel configuration correctly - Improved version detection for non-symlinked kernel - Extended detection of BitDefender - Find more time synchronization commands - Corrected detection of time peers - Fix: hostid generation routine would sometimes show too short IDs - Fix: language detection - Generic improvements for macOS - German translation updated - End-of-life database updated ------------------------------------------------------------------- Thu Jun 18 12:17:36 UTC 2020 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.0 * Security issues - CVE-2020-13882: incorrect Access Control because of a TOCTOU race condition (boo#1173141). - CVE-2019-13033: local disclosure of license key when data is uploaded (boo#1173142). * Breaking change: Non-interactive by default - Lynis now runs non-interactive by default, to be more in line with the Unix philosophy. So the previously used '--quick' option is now default, and the tool will only wait when using the '--wait' option. * Breaking change: Deprecated options - Option: -c - Option: --check-update/--info - Option: --dump-options - Option: --license-key * Breaking change: Profile options - The format of all profile options are converted (from key:value to key=value). You may have to update the changes you made in your custom.prf. * Security - An important focus area for this release is on security. We added several measures to further tighten any possible misuse. * New: DevOps, Forensics, and pentesting mode - This release adds initial support to allow defining a specialized type of audit Using the relevant options, the scan will change base on the intended goal. - Further features, bug fixes and details about the release listed in https://raw.githubusercontent.com/CISOfy/lynis/3.0.0/CHANGELOG.md ------------------------------------------------------------------- Tue Jun 25 07:32:29 UTC 2019 - Robert Frohl <rfrohl@suse.com> - Update to 2.7.5 Added: * Danish translation * Slackware end-of-life information * Detect BSD-style (rc.d) init in Linux systems * Detection of Bro and Suricata (IDS) Changed: * Corrected end-of-life entries for CentOS 5 and 6 * Change name to check in /etc/passwd file for QNAP devices * AIX enhancement to use correct find statement * Filter on correct field for AIX * Set ss command as preferred option for Linux and changed output format * List of PHP ini file locations has been extended * Removed several pieces of the code as part of cleanup and code health * Extended help ------------------------------------------------------------------- Mon Jun 3 11:20:11 UTC 2019 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi> - Add more false-positive packages to Dbus database: tuned, autofs, lightdm, geoglue2, snapper and ModemManager ------------------------------------------------------------------- Wed May 29 11:47:34 UTC 2019 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi> - Add these common false-positive packages to Dbus database whitelist: FirewallD, SystemD and Wicked ------------------------------------------------------------------- Tue Apr 23 07:24:21 UTC 2019 - Robert Frohl <rfrohl@suse.com> - Update to 2.7.4 Added * FILE-6324 - Discover XFS mount points * INSE-8000 - Installed inetd package * INSE-8100 - Installed xinetd package * INSE-8102 - Status of xinet daemon * INSE-8104 - xinetd configuration file * INSE-8106 - xinetd configuration for inactive daemon * INSE-8200 - Usage of TCP wrappers * INSE-8300 - Presence of rsh client * INSE-8302 - Presence of rsh server * Detect equery binary detection * New 'generate' command Changed * AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems * PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages * PKGS-7420 - Detect toolkit to automatically download and apply upgrades * PKGS-7328 - Added global Zypper option --non-interactive * PKGS-7386 - Only show warning when vulnerable packages were discovered * PKGS-7392 - Skip test for Zypper-based systems * Minor changes to improve text output, test descriptions, and logging * Changed CentOS identifiers in end-of-life database * AIX enhancement for IsRunning function * Extended PackageIsInstalled function * Improve text output on AIX systems * Corrected lsvg binary detection ------------------------------------------------------------------- Thu Mar 21 12:11:32 UTC 2019 - Robert Frohl <rfrohl@suse.com> - update to 2.7.3 Added * Detection for Lynis being scheduled (e.g. cronjob) Changed * HTTP-6624 - Improved logging for test * KRNL-5820 - Changed color for default fs.suid_dumpable value * LOGG-2154 - Adjusted test to search in configuration file correctly * NETW-3015 - Added support for ip binary * SQD-3610 - Description of test changed * SQD-3613 - Corrected description in code * SSH-7408 - Increased values for MaxAuthRetries * Improvements to allow tailored tool tips in future * Corrected detection of blkid binary * Minor textual changes and cleanups ------------------------------------------------------------------- Thu Mar 7 11:54:18 UTC 2019 - Robert Frohl <rfrohl@suse.com> - update to 2.7.2 * Added support for doas (OpenBSD) * Added test file permissions of doas configuration * Added support for systemd-boot boot loader * Added simplify service filter and allow multiple dots in service names * Added check OpenBSD boot daemons * Added test permissions for boot files and scripts * Added support for end-of-life detection of the operating system * Added new 'lynis show eol' command * Multiple changes and improvements ------------------------------------------------------------------- Fri Feb 1 10:28:13 UTC 2019 - Robert Frohl <rfrohl@suse.com> - update to 2.7.1 * Improve support for Red Hat and clones * Additional support for Hands Off!, LuLu, and Radio Silence * Added MariaDB filter for deleted files (tested on CentOS) * Added /etc/bash.bashrc.local to umask check * Removed shift statement that did not work on all operating systems * Minor cleanups and enhancements * Small improvements to logging * Added translation for Slovak ------------------------------------------------------------------- Sat Oct 27 02:36:44 UTC 2018 - sean@suspend.net - update to 2.7.0 * added detection of TOMOYO binary (MACF-6240) * Status of TOMOYO framework updated (MACF-6242) * OpenSSH server version detected (SSH-7406) * Check active OSSEC analysis daemon (TOOL-5160) * Changed several warning labels on screen * More generic sulogin for systemd rescue (AUTH-9308) * OS detection now ignores quotes for getting the OS ID ------------------------------------------------------------------- Tue Oct 9 08:20:47 UTC 2018 - Robert Frohl <rfrohl@suse.com> - update to 2.6.9 * Man page has been updated * Command 'lynis show options' provides up-to-date list * Option '--dump-options' is deprecated * Several options and commands have been extended with more examples * OS detection now supports openSUSE specific distribution names * Changed command output when using 'lynis audit system remote' * added /usr/local/redis/etc path and QNAP support * ignore exception when no vmlinuz file was discovered ------------------------------------------------------------------- Thu Sep 20 13:04:11 UTC 2018 - astieger@suse.com - update to 2.6.8: * improved parsing of boot parameters to init process * test all PHP files for expose_php and improved logging * Docker check now tests also for CMD, ENTRYPOINT, and USER configuration * Improved display in Docker output for showing which keys are used for signing - includes changes from 2.6.7: * Added busybox as a service manager * Limit PAE and no-execute test to AMD64 hardware only * Ignore /dev/zero and /dev/[aio] as deleted files * Changed classification of SSH root login with keys * Docker scan uses new format for maintainer value - includes chagnes from 2.6.6: * Improved log text about running kernel version * Under some condition no hostid2 value was reported * Solved 'extra operand' issue with tr command ------------------------------------------------------------------- Wed Jun 27 08:42:31 UTC 2018 - astieger@suse.com - update to 2.6.5: * mail: Exim configuration test * network: Use FQDN to test status of a nameserver instead of own IP address * ssh: Improved test to allow configurations with a Match block - includes changes from 2.6.4: * auth: Made 'sulogin' more generic for systemd rescue shell * dns: Initial work on DNSSEC validation testing * network: Added support for local resolver 127.0.0.53 * php: Suhosin test disbled * ssh: Removed 'DELAYED' from OpenSSH Compression setting * time: Improvements to detect step-tickers file and entries - includes changes from 2.6.3: * crypt: Do prevalidation for certificates before testing them * hardening: Enhanced compiler permission test * name: Improved test to filter out empty lines * packages: changes to detect yum-utils package and related tooling * plugins: cron file permissions - includes changes from 2.6.2: * Textual changes for several tests * Update of tests database ------------------------------------------------------------------- Fri Jan 26 17:00:07 UTC 2018 - astieger@suse.com - update to 2.6.1: * New group 'usb' for tests related to USB devices * Updated and enhanced tests * Many bug fixes * output and UI fixes ------------------------------------------------------------------- Thu Jun 8 19:36:22 UTC 2017 - astieger@suse.com - Lynis 2.5.1: * Improved detection of SSL certificate files * Minor changes to improve logging and results * Firewall tests: Determine if CSF is in testing mode - includes changes from Lynis 2.5.0: * CVE-2017-8108: symlink attack may have allowed arbitrary file overwrite or privilege escalation (bsc#1043463) * Deleted unused tests from database file * Additional sysctls are tested * Extended test with Symantec components * Snort detection * Snort configuration file ------------------------------------------------------------------- Tue Apr 4 09:35:48 UTC 2017 - tuukka.pasanen@ilmi.fi - Lynis 2.4.8 (Changelog from 2.4.1) * More PHP paths added * Minor changes to text * Show atomic test in report * Added FileInstalledByPackage function (dpkg and rpm supported) * Mark Arch Linux version as rolling release (instead of unknown) * Support for Manjaro Linux * Escape files when testing if they are readable * Code cleanups * Allow host alias to be specified in profile * Code readability enhancements * Solaris support has been improved * Fix for upload function to be used from profile * Reduce screen output for mail section, unless --verbose is used * Code cleanups and removed 'update release' command * Colored output can now be tuned with profile (colors=yes/no) * Allow data upload to be set as a profile option * Properly detect SSH daemon version * Generic code improvements * Improved the update check and display * Finish, Portuguese, and Turkish translation * Extended support and tests for DragonFlyBSD * Option to configure hostid and hostid2 in profile * Support for Trend Micro and Cylance (macOS) * Remove comments at end of nginx configuration * Used machine ID to create host ID when no SSH keys are available * Added detection of iptables-save to binaries Tests: BANN-7126 - Added more words to test for CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler HTTP-6641 - Support detection for Apache module mod_reqtimeout PKGS-7388 - Minor change to detect security repositories CRYP-7902 - Test more certificates names, but only if they are not part of a package FILE-7524 - Reduce standard screen output for file permissions check MALW-3280 - Added Avira detection as a malware scanner NAME-4018 - Only perform name services test when resolv.conf file exists PKGS-7387 - Check all repositories if they use GPG signing SCHD-7704 - Permission checks TIME-3104 - Check permissions before open files AUTH-9328 - Add missing 0027 and 0077 umasks BOOT-5104 - Add initsplash and minor code enhancements DBS-1882 - Include Redis configuration file FIRE-4502 - Improved detection for iptables modules when using OpenVZ PKGS-7381 - Enhanced package audit for FreeBSD AUTH-9308 - Improved test for sulogin string (Debian systems) FILE-6372 - Properly deal with comment on lines in /etc/fstab MAIL-8817 - New test to check Postfix configuration for errors SSH-7408 - Corrected SSH check AUTH-9308 - Improved test for sulogin string MAIL-8818 - Test if Linux version is known before comparing in Postfix banner TIME-3116 - Skip stratum 16 items for time pools TIME-3148 - New test to detect TZ variable AUTH-9208 - Removed double logging AUTH-9222 - Improve logging for double groups AUTH-9226 - Improve logging for double groups BOOT-5177 - Sort systemctl unit files to make them unique DBS-1818 - New test to detect MongoDB DBS-1820 - New test for MongoDB authentication FIRE-4512 - Lowered minimum number of iptables firewall rules FIRE-4586 - Fix applied when searching for "-j LOG" HRDN-7222 - Changed reporting key of world executable compilers SSH-7408 - Added filtering for PermitRootLogin (prohibit-password, OpenSSH 7.0) FIRE-4586 - Check logging for firewall components KRNL-5788 - Remove exception and style improvements KRNL-5830 - Improved logging ------------------------------------------------------------------- Fri Nov 4 13:41:25 UTC 2016 - matthias.gerstner@suse.com - lynis 2.4.0 * Mainly improved support for macOS users * Support for CoreOS * Support for clamconf utility * Support for chinese translation * More sysctl values in the default profile * New commands: "upload-only", "show hostids", "show environment", "show os" ------------------------------------------------------------------- Wed Sep 28 11:45:44 UTC 2016 - astieger@suse.com - lynis 2.3.4 with various improvements, including: * Several tests have extended log details * Detection of nftables improved * Replaced cut, sed, tr and others commands with binary variable (for forensics and future intrusion checking capabilities) * OS detection improved ------------------------------------------------------------------- Thu Sep 15 14:44:27 UTC 2016 - astieger@suse.com - lynis 2.3.3 with many improvements and updates ------------------------------------------------------------------- Thu May 12 08:32:25 UTC 2016 - astieger@suse.com - lynis 2.2.0: * new features and tests, small enhancements * optimisation, better detection * dealing with OS quirks and unexcepted results * adjustments for supporting more compliance in-depth * Detection for CFEngine has been improved * now tries to determine if failed logins are properly logged * New plugin is introduced to analyze PAM settings * Initial support to test UEFI settings, including Secure Boot option. * Support added for Unbound DNS caching tool, configuration check * Record if a name caching utility is being used like nscd or Unbound. * Tests chains of iptables and their default policy (ACCEPT or DROP) * Support upcoming nftables technology (status check) * Test added to include osqueryd as a supported tool. * Detection of firewire is enhanced (both ohci and core detected). * Extended the test syslog-ng logging to remote systems. * ESET and LMD (Linux Malware Detect) have been added. * Discovered malware scanners are also logged to the report. * Eexpanded test for multiple common mount points and define best practice mount flags. * Best practices for IPv6 configuration on Linux are now collected. * Collect network interface names from most operating systems. * Password change test has been extended to both capture minimum and password age. * Add Proxu support * SystemV init is now detected. * Now information will be logged when vulnerable software packages were found. * Support for DNF (Dandified YUM) for Fedora systems has been added. * Multiple configuration tests of SSH merged. * Extend detection of virtual machines (VMware tools) * Machine state detection with Puppet, Facter, dmidecode, and lscpu * When using pentest mode, it will continue without any delays (=quick mode). * Improvements for automatic execution of Lynis * Upload improvements ------------------------------------------------------------------- Wed Jul 29 11:05:22 UTC 2015 - astieger@suse.com - lynis 2.1.1: * performance improvements * additional support for Linux distributions and external utilities * Apache module directory /usr/lib64/apache has been added, which is used on openSUSE. * various other improvements and bug fixes - update patches for contect changes: lynis_1.3.1_include_consts.diff, lynis_1.3.5_lynis.diff ------------------------------------------------------------------- Tue May 12 15:19:07 UTC 2015 - astieger@suse.com - lynis 2.1.0: * Screen output has been improved to provide additional information. * Core dump check on Linux is extended to check for actual values as well. * Software: + McAfee detection has been extended by detecting a running cma binary. + Security patch checking with zypper extended. * Session timeout: + Tests to determine shell time out setting have been extended + determine also if variable is exported as a readonly variable. + Related compliance section PCI DSS 8.1.8 has been extended. - includes changes from Lynis 2.0.0: * New feature: helpers * docker build file audit helper * Improved OS support * support systemd, docker, nftables * New parameters: + --dump-options (see all options) + --report-file (define a different location for the report file) - use tarball supplied default.prf - clean or silence rpmlint warnings ------------------------------------------------------------------- Tue Feb 17 12:32:20 UTC 2015 - astieger@suse.com - lynis 1.6.4: * New: + Boot loader detection for AIX + Detection of getcap and lsvg binary + Added filesystem_ext to report + Detect rootsh * Changes: + Hide errors when RPM database is faulty and show suggestion instead + Allow OpenBSD to gather information on listening network ports + Don't trigger warning for Shellshock when doing segfault test + Do not run Apache test on OpenBSD and strip control chars + Extended AIDE test with configuration validation test + Improved Shellshock test regarding non-Linux support + Added support for gathering volume groups on AIX + Properly parse PAM lines and add them to report + Support for boot loader detection on OpenBSD + Added uptime detection for OpenBSD systems + Support for volume groups on AIX + Redirect errors when searching for readlink binary - includes changes from 1.6.3: * New: + Added tests for Shellshock bash vulnerability + Added test to determine if Snoopy is used + New test for qdaemon configuration file + Test for GRUB boot loader password + New test for qdaemon printer jobs + Added ClamXav test for Mac OS X + Gentoo vulnerable packages test + New test for qdaemon status + Gentoo package listing + Running Lynis without root permissions will start non-privileged scan + Systemd service and timer example file added + Added grub2-install to binaries * Changes: + Adjustments so insecure SSL protocols are detected in nginx config + Directories will be skipped when searching for nginx log files + Only gather unique name servers from /etc/resolv.conf + Properly detect mod_evasive on Gentoo and others + Improved swap partition detection in /etc/fstab + Improvements to kernel detection (e.g. Gentoo) + Test for built-in security options in YUM + Improved boot loader detection for GRUB2 + Split GRUB test into two tests + Added Mac OS uptime check + Improved GetHostID function for systems having only ip binary + Improved testing for symlinked binary directories + Minor adjustments to log output + Renamed dev directory to extras - verify source signature - adjust permissions of items in /usr/share/lynis/include/consts to match those requested by main executable - run spec_cleaner ------------------------------------------------------------------- Sun Nov 16 00:39:00 UTC 2014 - Led <ledest@gmail.com> - fix bashisms in scripts ------------------------------------------------------------------- Wed Sep 24 16:36:21 UTC 2014 - citypw@gmail.com - Upgrade to version 1.6.2 - Remove files: * lynis_1.3.7_include-test-filesystem.diff( already fixed) * lynis-1.3.9.tar.gz ------------------------------------------------------------------- Thu Jan 9 18:45:44 UTC 2014 - saigkill@opensuse.org - updated to version 1.3.9 - removed patch * lynis_1.3.6_include-test-kernel.diff (fixed upstream) ------------------------------------------------------------------- Wed Dec 11 20:14:06 UTC 2013 - saigkill@opensuse.org - updated to version 1.3.7 - Changelog: * FileExists() and SearchItem() functions were added. The yum-security check and iptables binary check were improved, and the report was extended to show which tests have been executed or skipped - updated patch * lynis_1.3.7_include-test-filesystem.diff ------------------------------------------------------------------- Tue Dec 10 18:46:14 UTC 2013 - saigkill@opensuse.org - updated to version 1.3.6 - Removed patches (obsolete): * lynis_1.3.5_include_binaries.diff - Updated patches * lynis_1.3.6_include_osdetection.diff * lynis_1.3.6_include-test-kernel.diff ------------------------------------------------------------------- Sun Nov 24 14:29:06 UTC 2013 - saigkill@opensuse.org - updated to version 1.3.5 - Updated patches: o lynis_1.3.1_lynis.diff o lynis_1.3.1_include_binaries.diff o lynis_1.3.1_include-osdetection.diff o lynis_1.3.1_include-test-kernel.diff - Removed patches (obsolete) o lynis_1.3.1_include-test-databases.diff o lynis_1.3.1_include-test-storage.diff o lynis_1.3.1_include-test-homedirs.diff ------------------------------------------------------------------- Fri Jun 21 12:22:08 UTC 2013 - thomas@suse.com - fixed typo in prepare_for_suse.sh ------------------------------------------------------------------- Fri Jan 25 09:40:52 UTC 2013 - thomas@suse.com - fixed log message for dbus test - fixed bash variable incrementation that sneaked in the code ------------------------------------------------------------------- Mon Jan 14 14:57:15 UTC 2013 - thomas@suse.com - fixed tests_network_allowed_ports to increment index vars and not loop forever ------------------------------------------------------------------- Thu Jan 10 16:53:32 UTC 2013 - thomas@suse.com - fixed test_homedirs ------------------------------------------------------------------- Thu Jan 10 16:46:02 UTC 2013 - thomas@suse.com - some bugfixing for pathnames, didn't work with sudo - improved default.prf by adding more sysctl vars - fixed test_storage - generated fileperm.db and dbus-whitelist for 12.2 ------------------------------------------------------------------- Mon Dec 26 16:24:35 UTC 2011 - Sascha.Manns@open-slx.de - fixed conflict in spec ------------------------------------------------------------------- Mon Dec 26 16:18:01 UTC 2011 - Sascha.Manns@open-slx.de - updated to version 1.3.0 - from Changelog: - New: - Profile option: ignore_home_dir - TCP wrappers category added - Tooling category added - Initial extensions to support plugins in the future - Test for unpurged Debian packages [PKGS-7346] - Test for compiler permissions [HRDN-7222] - Changes: - Converted all dates to ISO format and updated copyright lines - Correct suggestion for file integrity tool [FINT-4350] - Added hint when RPM list is empty on DPKG based systems [PKGS-7308] - Changed logging for /etc/security/limits.conf file [KRNL-5820] - Fixed incorrect warning for single user mode [AUTH-9308] - Improved output for stratum 16 time servers [TIME-3116] - Added suggestion and screen output for kernel hardening [KRNL-6000] - Screen layout optimalizations and log file improvements - Improved list/layout of scan options - Improved binary check for compilers - Added configuration option in scan profile (show_tool_tips, default true) ------------------------------------------------------------------- Thu Apr 7 15:57:31 UTC 2011 - thomas@novell.com - added patch for apache2 and oracle detection ------------------------------------------------------------------- Fri Apr 1 22:00:13 UTC 2011 - saigkill@opensuse.org - removed rpmlintrc and fixed non-executable-script ------------------------------------------------------------------- Sun Dec 26 19:55:21 UTC 2010 - saigkill@opensuse.org - prettyfied spec file - NOTE: Please submit submitrequests to home:saigkill. This Package links to this Repository. ------------------------------------------------------------------- Fri Sep 3 05:41:52 UTC 2010 - thomas@novell.com - fixed %files section to include /etc/lynis ------------------------------------------------------------------- Fri Sep 3 05:12:43 UTC 2010 - thomas@novell.com - fixed %files section to reflect new default.prf location ------------------------------------------------------------------- Fri Sep 3 05:09:47 UTC 2010 - thomas@novell.com - added permdir /root/.gnupg to default.prf ------------------------------------------------------------------- Fri Sep 3 05:04:03 UTC 2010 - thomas@novell.com - copy default.prf to /etc/lynis/ instead of /etc/, otherwise lynis will not find it and hang ------------------------------------------------------------------- Thu Sep 2 11:32:50 UTC 2010 - thomas@novell.com - added %{_datadir}/%{name}/prepare_for_suse.sh ------------------------------------------------------------------- Thu Sep 2 10:56:55 UTC 2010 - thomas@novell.com - adjusted patch and spec file to make it build ------------------------------------------------------------------- Wed Sep 1 12:30:43 UTC 2010 - thomas@novell.com - put code from Matthias Weckbecker sec_check into lynis - adjusted lynis for opensuse - details: + tests_tmp_symlinks + tests_network_allowed_ports + tests_system_proc + tests_file_permissions_ww + tests_binary_rpath + tests_users_wo_password + tests_file_permissionsDB + tests_system_dbus ------------------------------------------------------------------- Wed Dec 16 05:19:37 UTC 2009 - saigkill@opensuse.org - updated to version 1.2.9 - added default.prf ------------------------------------------------------------------- Wed Dec 9 16:21:53 UTC 2009 - saigkill@opensuse.org - update to 1.2.8 ------------------------------------------------------------------- Mon Nov 2 18:16:38 UTC 2009 - saigkill@opensuse.org - update to 1.2.7 - This release adds AIX Support and several new tests related to SSH, logging, databases and SMTP. Many minor issues are solved or improved. ----------------------------------------------------------------- Mon Apr 6 09:04:05 CEST 2009 - saigkill@opensuse.org - update to 1.2.6 - This release has several new tests and test improvements, like a sudoers file permissions check, a core dumps configuration check for Linux, PHP tests, and an /etc/issue banner test. ----------------------------------------------------------------- Sat Mar 28 10:27:12 CET 2009 - saigkill@opensuse.org - update to 1.2.5 - This release adds 40+ new tests for services like Dovecot, BIND, PowerDNS, SSH, Exim, and nginx ----------------------------------------------------------------- Tue Mar 17 2009 20:32 CET - mrdocs@opensuse.org - added 1.2.4 release - This release adds more than 30 new tests, including NTP, auditd, PAM, NFS and ClamAV. ------------------------------------------------------------------ Mon Mar 02 22:32 CET 2009 - mrdocs@opensuse.org - 1.2.3 release see CHANGELOG for changes ------------------------------------------------------------------- Thu Feb 26 14:16:35 CET 2009 - pgajdos@suse.cz - removed patches: - passwd-args.patch - suppress-dpkg-error.patch - source repacked gz -> bz2 ------------------------------------------------------------------- Sun Feb 17 2009 - mrdocs@opensuse.org - 1.2.2 release - see CHANGELOG for changes ------------------------------------------------------------------ Mon Feb 16 03:15:44 CET 2009 - saigkill@opensuse.org - updated to Version 1.2.2 ------------------------------------------------------------------ Wed Jan 07 12:00:00 CET 2009 - saigkill@opensuse.org - fixed Rpmlint Errors - branched for Contrib ------------------------------------------------------------------ Wed Nov 10 12:00:00 CET 2008 - saigkill@opensuse.org - initial version using the buildservice
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor