Skip to content

Releases: CISOfy/lynis

Lynis 2.4.1

09 Feb 12:38

Choose a tag to compare

Lynis 2.4.1 (2017-02-09)

Changes:

  • Generic code improvements
  • Improved the update check and display
  • Finish, Portuguese, and Turkish translation
  • Extended support and tests for DragonFlyBSD
  • Option to configure hostid and hostid2 in profile
  • Support for Trend Micro and Cylance (macOS)
  • Remove comments at end of nginx configuration
  • Used machine ID to create host ID when no SSH keys are available
  • Added detection of iptables-save to binaries

Tests:

  • FIRE-4586 - Check logging for firewall components
  • KRNL-5788 - Remove exception and style improvements
  • KRNL-5830 - Improved logging

Lynis 2.4.0

27 Oct 10:51

Choose a tag to compare

Lynis 2.4.0 (2016-10-27)

Exactly one month after previous release, the Lynis project is proud to announce
a new release. This release had the specific focus to improve support for macOS
users. Thanks to testers and contributors to make this possible.

New:

  • New group "system integrity" added
  • Support for clamconf utility
  • Chinese translation (language=cn)
  • New command "upload-only" to upload just the data instead of a full audit
  • Enhanced support for macOS, including HostID2 generation for macOS
  • Support for CoreOS
  • Detection for pkg binary (FreeBSD)
  • New command: lynis show hostids (show host ID)
  • New command: lynis show environment (hardware, VM, or container type)
  • New command: lynis show os (show operating system details)

Changes:

  • Several new sysctl values have been added to the default profile
  • Existing tests have been enhanced to support macOS

Tests:

  • AUTH-9234 - Support for macOS user gathering
  • BOOT-5139 - Support for machine roles in LILO test
  • BOOT-5202 - Improve uptime detection for macOS and others
  • FIRE-4518 - Improve pf detection and mark as root-only test
  • FIRE-4530 - Don't show error on screen for missing IPFW sysctl key
  • FIRE-4534 - Check Little Snitch on macOS
  • INSE-8050 - Test for insecure services on macOS
  • MACF-6208 - Allow non-privileged execution and filter permission issues
  • MALW-3280 - Detection for Avast and Bitdefender daemon on macOS
  • NETW-3004 - Support for macOS
  • PKGS-7381 - Improve test for pkg audit on FreeBSD
  • TIME-3104 - Chrony support extended

Plugins (community and commercial):

  • PLGN-1430 - Gather installed software packages for macOS
  • PLGN-4602 - Support for Clam definition check on macOS

Lynis 2.3.4

27 Sep 11:14

Choose a tag to compare

  • Lynis 2.3.4 (2016-09-27) *

Changes:

  • Skip update message when using the 'show' helper
  • Instead of opening the log file, you can now use 'lynis show details' followed
    by the test ID. It will show the relevant section.
  • Several tests have extended log details
  • Many style improvements as part of ongoing refactoring of the code
  • Detection of nftables improved
  • Replaced cut, sed, tr and others commands with binary variable (for forensics
    and future intrusion checking capabilities)
  • Swedish translation provided by Peter Carlsson
  • Support for arch-audit to scan for presence of vulnerable packages on Arch Linux
  • OS detection improved

Tests:

  • CONT-8107 - New test checking number of Docker containers
  • CRYP-7902 - Gather more details regarding certificates
  • DBS-1816 - Define skip reason
  • FILE-6344 - Adjusted /proc test for hidepid option
  • FILE-6362 - Removed warning and add skip reason
  • FIRE-4520 - Change test to use detected binary
  • FIRE-4520 - New test to check for empty nftables ruleset
  • KRNL-5820 - Corrected function and style improvements
  • LOGG-2146 - Textual change
  • NAME-4408 - Check localhost to IP mapping
  • PKGS-7320 - Test for arch-audit tool
  • PKGS-7322 - Check vulnerable packages on Arch Linux
  • PKGS-7381 - Extended vulnerable package detection for FreeBSD
  • TIME-3104 - timedatectl test now detects NTP synchronization properly

Lynis 2.3.3

23 Aug 08:53

Choose a tag to compare

Lynis 2.3.3 (2016-08-23)

Upgrade note

Customized profiles that included sysctl settings need to be altered. See
default.prf for the correct format of the lines.

Additions

  • OpenStack detection
  • Option to disable automatic refresh of software repository

Languages

  • Japanese translation added, contributed by Yukio Takahara

Fixes

  • Some tests did not show a warning text
  • Typo in man page for tests-from-group

Parameters

  • New --bin-dirs to define binary directories to scan
  • New option --root-dir to specify a different file system to scan

Nginx

  • Rewrite of configuration parsing

PHP

  • Support for PHP 5.6

Redis

  • Redis test to detect configuration files
  • Test Redis configuration for several best practices
  • Perform permission check on Redis configuration files

Experimental features (in development)

  • --bin-dirs - set what directories should be scanned for binaries
  • --root-dir - define the root of the file system, to allow forensics

Settings

  • Many settings have a new alias (with dashes instead underscores)
  • New setting 'show-report-solution' to show solution in report

Functions

  • ExitFatal can now exit program with optional text
  • IsNotebook can detect if system is a notebook (or not)
  • ShowSymlinkPath and FileIsReadable test for at least one argument
  • StoreNginxSettings will save parsed nginx configuration

Tests

  • BOOT-5108 - Support for Syslinux bootloader
  • DBS-1882 - Redis configuration detection
  • DBS-1884 - Redis 'requirepass' check
  • DBS-1886 - Redis 'rename-command CONFIG' check
  • DBS-1888 - Redis 'bind localhost' check
  • FILE-6374 - Improved logging
  • KRNL-5830 - Improved logging for detected Linux kernels
  • KRNL-6000 - Support for multiple profiles and new format style
  • LOGG-2190 - Ignore MySQL files in /tmp from early MySQL 5.x releases
  • LOGG-2192 - New test to check opened log files that are empty

Lynis Enterprise integration

  • Tag 'redis-server' is added for systems running Redis

Lynis 2.3.2

09 Aug 14:53

Choose a tag to compare

Lynis 2.3.2 (2016-08-09)

Categories and Groups

Tests are now grouped by their focus area and named 'groups' accordingly.
Besides groups, each test will belong to a category (performance, privacy, or
security).

Commands: lynis show categories, lynis show groups
Options: --tests-from-category, --tests-from-group

Note: You might need to change your scripts if you previously defined the group
of tests to scan.

Development

A new 'strict' option is available in the profiles and by default enabled for
the initialization phases of Lynis. It will perform a strict code check for the
tests, to detect any uninitialized variables, improving code quality.

Helpers

With 'lynis update check' you can now check for updates. This is the preferred
new method.

The command 'lynis show changelog' allows reviewing the changes. Optionally a
release can be specified as additional argument.

Languages

Initial translation for German has been contributed by Kai Raven. The Italian
translation by Stefano Marty (stefanomarty). Hungarian translation by Zoltan
Paldi (paldiz)

Profiles

Parsing of the profiles has been improved, which prevented some settings from
overriding default settings.

Tests

  • AUTH-9212 - Added prerequisite to log
  • AUTH-9216 - Simplified test and make it more efficient
  • AUTH-9218 - Clean ups and improve readability
  • AUTH-9226 - Style, text, and removed warning
  • AUTH-9228 - Provide just a suggestion instead of warning
  • AUTH-9268 - Improve test for readability
  • AUTH-9328 - Test /etc/profile.d for umask setting
  • AUTH-9406 - Readability and code style changes
  • CONT-8102 - Determine if all Docker tests should be performed
  • DBS-1880 - Initial support for Redis server
  • HTTP-6720 - Readability improvement of test
  • KRNL-5830 - Readability and style improvements, ignore rescue images
  • MAIL-8818 - Style and refactoring
  • PHP-2211 - Readability improvement and code style changes
  • PHP-2374 - Changed text and cleanups
  • PHP-2376 - Log result to log file instead of report
  • PKGS-7383 - Simplified test
  • PKGS-7388 - Style and readability improvements
  • TIME-3106 - Corrected string to test for status
  • TOOL-5102 - Split of fail2ban tests
  • TOOL-5104 - Test for enabled fail2ban jails

Languages

Translation of Spanish (es) added
Proper display of text strings when accented characters are used
More text strings added

General

  • Added bold and header as new colors
  • Changed header and footer of screen output
  • Allow atomic tests to be skipped (e.g. SSH-7408)
  • Extended tests database with category (lynis show tests)
  • By default Lynis will now run in 'quick mode' and not break after each
    section. You can get this behavior by adding the --wait option.

Functions

  • RemoveColors - New test to clear colors
  • DisplayError - Display error on screen in uniform format and colors
    Use an optional exit code to quit the program
  • SkipAtomicTest - This function is now properly working with lowercase strings

Website

Several controls on the website are added or updated, including:

  • FILE-6344
  • FINT-4315
  • FINT-4402
  • HTTP-6714
  • MACF-6234
  • NAME-4018
  • NAME-4402
  • PHP-2374
  • PROC-3612
  • TIME-3106

Lynis 2.3.1

14 Jul 18:33

Choose a tag to compare

Lynis 2.3.1 (2016-07-14)

This is a minor patch to improve upon findings in version 2.3.0.

Changes:

  • Convert all skipped tests to uppercase
  • Only add license key when it is defined
  • Updated French translation
  • Exclude custom.prf from tarball (download via website)

Lynis 2.3.0

13 Jul 11:51

Choose a tag to compare

Lynis 2.3.0 (2016-07-13)

We are excited to announce this major release of auditing tool Lynis. Several big
changes have been made to core functions of Lynis. These changes are the next of
simplification improvements we made. There is a risk of breaking your existing
configuration. See the tips below to upgrade.

This release will soon also be available in our software repository. For more
details see https://packages.cisofy.com to install and upgrade Lynis.

Upgrade tips

Default profile and custom profiles:
Settings of multiple profiles can now be merged. Instead of making changes to
default.prf, copy your changes to custom.prf. Use 'lynis show profiles' to show
any detected profiles. Only include your changes in custom.prf, to keep the
configuration clean and tidy. They will then overwrite the defaults. Use
'lynis show settings' to see if they are applied.

Check your cron jobs:
When using --quiet, the output will be really quiet now. Use --show-warnings-only
if you still want to see the warnings. Lynis will now exit with error 0, even
when warnings have been found. Use option error-on-warnings=yes (custom.prf) to
exit with code 78 when it has any warnings.

Details

Ansible

New Ansible examples for deployment: https://github.com/CISOfy/lynis-ansible

Databases

Lynis will check also for DB2 instances and report the status.

Developer Mode

With this release the developer mode is introduced. It can be activated with the
--developer option, or developer-mode=yes in profile. In development mode, some
details are displayed on screen, to help testing of existing or new tests.

To get easy access, a new profile has been added (developer.prf).

Examples:
lynis audit system --profile developer.prf
lynis audit system --developer

A new software development kit (SDK) for Lynis is available on GitHub. This will
help contributors and developers to test software quality, including linting and
running unit tests. The devkit also supports building DEB and RPM files for easy
deployment. The repository can be found on https://github.com/CISOfy/lynis-sdk

Documentation

Template files have been updated to provide better examples on how to create
custom tests and plugins.

To simplify the usage of Lynis, a new helper utility has been added: show.
This helper will show help, or values (e.g. version, plugin directories, etc).
Some examples include: lynis show options, lynis show commands, lynis show
version, etc. See lynis show for all available details.

File Systems

The XFS file system detection has been added. Mount points /dev/shm and /var/tmp
are now checked for their options. Comparison of the mount options has been
improved. A new test has been added to check if /var/tmp has been bound to /tmp.

Language Support

Lynis now supports language translations, with the language profile option.
Initial languages: Dutch (nl), English (en), French (fr).

You can help by translating the language files in the db directory.

Mac OS X Improvements

Package manager Brew has been added

nginx

Show suggestion when weak protocol is used, like SSLv2 or SSLv3. The protocols
are now also parsed and stored as details in the report file.

Packages

Systems running CentOS, Debian, openSUSE, RHEL, Ubuntu and others, may now use
our own software repository: https://packages.cisofy.com

Performance

Several performance improvements have been implemented. This includes rewriting
tests to invoke less commands and enhanced hardware detection at the beginning.

Plugins

You can set the plugin directory now also via a profile. First match wins.
Priority: 1) argument, 2) profile, 3) default

--plugindir is now an alias for --plugin-dir

Profiles

Lynis now support multiple profiles. By using a file 'custom.prf', it allows to
inherit values first from default.prf, then merge it with custom.prf.

Several tests have been altered to support multiple profiles.

New profile options:
quick=yes|no (similar to --quick)
developer (see Developer section)
check-value

Remote scanning

Although Lynis is a aimed on running on local hosts, there is still an ongoing
demand for running remote scans. With 'lynis audit system remote' tips are now
provides to perform such a scan via SSH.

Software

Zypper calls are now marked with a non-interactive flag to prevent it waiting for
any interactive input.

Solaris

Improve execution for Solaris systems.

SSH

The configuration of SSH is now parsed from the SSH daemon directly. This enables
handling with new defaults more easily, as OpenSSH sometimes introduces new keys,
or change their default value between versions.

Systemd

Added support for detecting systemd and reporting it as a service manager. The
systemd plugin has been released as a community plugin.

Uploads

Solved a bug which added the proxy configuration twice.

Profile options: upload-tool and upload-tool-arguments

General Improvements

The screen output has been improved, to show more meaningful things when some
parameters are missing. Several old variables and lines have been cleaned up.

The Display function now allows the --debug flag. This helps in showing some
lines on screen, which would normally be hidden (e.g. items not found or
matched).

Logging has been improved in different areas, like cleaning up and add more
relevant messages where needed.

The interface colors have been changed, to make it more obvious how the software
can be used. Also the wait line between categories have been altered, to properly
display on systems with a white background.

When no auditor name has been specified, it will say that instead of unknown.

Functions file has been cleaned up, including adding developer debug information
when old functions are still be used. Later on these functions will be deleted,
and therefore placed at the bottom.

Program Options

  • --developer - Enable developer mode
  • --verbose - Show more details on screen, reduce in normal mode
  • --show-warnings-only - Only show warnings on screen
  • --skip-plugins - Disable running any plugins (alias: --no-plugins)
  • --quiet - Changed: become really quiet
  • --config - Removed: use 'lynis show profiles' instead

Functions

  • AddSetting - New function to store settings (lynis show settings)
  • ContainsString - New function to search for a string in another one
  • Display - Added --debug, showing details on screen in debug mode
    - Reset identation for lines which are too long
  • DisplayToolTip - New function to display tooltips
  • IsDebug - Check for usage of --debug
  • IsDeveloperMode - Status for development and debugging (--developer)
  • IsDeveloperVersion - Check if release is still under development
  • IsRunning - Added return state
  • IsVerbose - Check for usage of --verbose
  • IsOwnedByRoot - Check ownership of files and directories
  • IsWorldWritable - Improved test with additional details
  • PortIsListening - Check if a service it listening to a specified port
  • SkipAtomicTest - Allow smaller tests to be skipped (e.g. SSH-7408)

Tests

  • AUTH-9234 - Test for minimal UID in /etc/login.defs when available
  • AUTH-9254 - Allow allow root to use this test, due to permissions
  • AUTH-9262 - Restructure of test, support for pwquality PAM
  • AUTH-9288 - Only check for accounts which have a maximum password age set
  • AUTH-9308 - Check for systemd targets
  • BANN-7119 - /etc/motd test disabled
  • BANN-7122 - /motd content test disabled
  • BOOT-5122 - Extended GRUB password check
  • BOOT-5184 - Improve file permissions check for CentOS 7 machines
  • DBS-1860 - Check for status of DB2
  • CRYP-7902 - Improved logging
  • FILE-6354 - Restrict searching in /tmp to mount point only
  • FILE-6372 - Properly checking for /etc/fstab now, ignore comments
  • FILE-6374 - Added /dev/shm and /var/tmp
  • FILE-6374 - New test for /var/tmp
  • FILE-6430 - New test for detecting specific filesystems
  • FILE-7524 - Support for multiple profiles
  • HTTP-6632 - Fix for proper detection of Apache modules
  • HTTP-6642 - Test disabled
  • HTTP-6710 - Trigger suggestion when weak protocols SSLv2/SSLv3 are used
  • KRNL-5788 - Support for kernel with grsecurity patches (linux-image-grsec)
  • KRNL-5820 - Improved logging for test
  • KRNL-6000 - Allow multiple profiles to be used, store more details
  • LOGG-2190 - Improvements for Fail2Ban and cron-related files
  • NETW-3014 - Support for multiple profiles
  • PKGS-7303 - Added Brew package manager
  • PKGS-7354 - Test for DNF repoquery plugin before using it
  • PKGS-7381 - Check for vuln.xml file
  • PRNT-2306 - Check if files are readable before parsing them
  • PROC-3612 - Removed wchan output to prevent grsecurity issues
  • SCHD-7702 - Test for running cron daemon
  • SCHD-7704 - Test ownership of cronjob files
  • SSH-7408 - Show weak configurations of SSH on screen as a suggestion
  • TOOL-5102 - Test for Fail2ban tooling
  • TOOL-5190 - Test for intrusion detection or prevention system

Plugins

  • PLGN-1602 - Marked as root-only
  • PLGN-2612 - Marked as root-only
  • PLGN-2804 - Marked as root-only
  • PLGN-3202 - Marked as root-only

Lynis 2.2.0

18 Mar 10:02

Choose a tag to compare

= Lynis 2.2.0 (2016-03-18) =

We are proud to present this new release of Lynis. It is a major upgrade, and the
result of many months of work. This version includes new features and tests, and
many small enhancements. We encourage all to test and upgrade to this latest
release.

* Highlights

The biggest change in this release is the optimization of several functions. It
allows for better detection, and dealing with the quirks, of every single
operating system. Some functions were fortified to handle unexcepted results
better, like missing a particular binary, or not returning the hostname.

This release also enables tests to be shorter, by adding new functions. Some
functions were renamed or slightly changed, to provide more value to the tooling.
Another big change in this release is a wide set of optimizations and quality
testing. Outdated pieces were removed, or rewritten, to support features seen in
newer distributions.

In the area of compliance, adjustments have been made to start supporting more
in-depth testing for this. Ideal for companies who have a particular compliance
need, or want to test and enforce the system hardening levels of their systems.

Last but not least, many small changes make this software easier to use. On
our website we added new guides to provide help and support.

We like to thank our contributors, in particular Kamil Boratyński, Steve Bosek,
and Eric Light. Their contributions helped us greatly shaping this release.

Below are the changes per category:

* Automation tools

Detection for CFEngine has been improved. Also additional logging and reporting
of automation tools.

* Authentication

Depending on the operating system, Lynis now tries to determine if failed logins
are properly logged. This includes checking for /etc/login.defs file [AUTH-9408].
Merged previous password check for Solaris into test AUTH-9228. User ids on AIX
will be gathered and added to the report [AUTH-9234].

New plugin is introduced to analyze PAM settings. It including items like:

  • Two-factor authentication methods
  • Minimum password length, password strength and protection status against brute
    force cracking
  • Password history

Report option: auth_failed_logins_logged

* Boot

Added detection for Mac OSX boot loader. Initial support to test UEFI settings,
including Secure Boot option. Options boot_uefi_booted and
boot_uefi_booted_secure added to report file

* Compliance

This release prepares for upcoming extensions to assist with compliance testing.
The profile has a new option, which can be used to define what standards should
be tested for, if any test is available. The related option is:
compliance_standards

Right now these standards can be selected:

  • CIS benchmarks
  • HIPAA
  • ISO27001/ISO27002
  • PCI DSS

Note that additional tests will be implemented in future releases and then tagged
to these particular standards.

* DNS and Name services

Support added for Unbound DNS caching tool [NAME-4034], including a configuration
check [NAME-4036].

Record if a name caching utility is being used like nscd or Unbound. Also logging
to report as field name_cache_used

* Firewalls

Test for IPFW firewall on FreeBSD has been improved: status of pflogd will no
longer be displayed, when pf is not available.

New test FIRE-4532 introduced for detection of the Mac OS X application firewall.
Also, the status of application firewalls is audited now.

FIRE-4508 is another new test, which tests chains of iptables and their default
policy (ACCEPT or DROP). This release also supports the upcoming nftables
technology with new test FIRE-4536. It is expected that it will replace iptables
later on, so this test will perform a status check. Additional FIRE-4548 will
perform a version detection of the userland utility nft and determine if there
are any rules configured.

Renamed FIRE-4511 to FIRE-4502.

* File Integrity Monitoring

Test added to include osqueryd as a supported tool.

* Hardware

Detection of firewire is enhanced (both ohci and core detected).

* Logging

Extended the test syslog-ng logging to remote systems. The log Lynis itself
produces is also enhanced, to be more detailed for several tests.

* Malware

ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners
are also logged to the report.

* Mount points

FILE-6374 is expanded to test for multiple common mount points and define best
practice mount flags.

* Networking

Best practices for IPv6 configuration on Linux are now collected. Also network
interface names from most operating systems.

* Operating systems

Improved support for Debian 8 systems, and displaying Gentoo for Gentoo-based
systems. Detection of VMware release has been added. Boot loader exception is not
longer displayed when only a subset of tests is performed. FreeBSD systems can
now use service command to gather information about enabled services.

Several paths have been added to allow better detection on systems running
FreeBSD and others.

* Passwords

AUTH-9286 change has been extended to both capture minimum and password age.

* Proxy support

A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS
proxy.

* Service Managers

SystemV init is now detected.

* Software and Packages

Now information will be logged when vulnerable software packages were found.
Support for DNF (Dandified YUM) for Fedora systems has been added. This is done
in several tests: PKGS-7350 (installed packages), PKGS-7352 (security notices),
PKGS-7354 (integrity tests).

* SSH

Multiple configuration tests of SSH are now merged into SSH-7408. This enables
easier testing later on and reduces repetition.

* Virtual machines and Containers

Detection of virtual machines has been extended in several ways. Now VMware tools
(vmtoolsd) are detected and machine state is improved with tools like Puppet
Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it
before gave error as it found directory /usr/libexec/docker. Check file
permissions for Docker files, like the socket file [CONT-8108].

* Individual tests

[AUTH-9204] Exclude NIS entries to avoid false positives
[AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9234] Support for AIX added
[AUTH-9288] Test for expired passwords
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also
includes improved logging, and support for other operating systems.
[BOOT-5104] Rewrote test to detect SysV init and other service managers
[BOOT-5106] New test to test boot loader on Mac OS X
[BOOT-5180] Only gets executed if runlevel 2 is found
[CONT-8108] New test to test for Docker file permissions
[DBS-1816] Removed suggestion
[FILE-6310] Add more details to test when a symlinked path has been found
[FILE-6410] Added /var/lib/locatedb as search path
[FINT-4338] Added osquery test
[FIRE-4508] Added chains test for iptables
[FIRE-4511] Renamed to FIRE-4502
[FIRE-4536] Support for nftables detection
[FIRE-4538] Basic configuration check for for nftables
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[HTTP-6622] Determine Apache version and log to report
[HTTP-6624] Ignore wildcard and default entries as ServerName for Apache
[LOGG-2154] Additional support for log destinations for syslog-ng
[MALW-3278] New test to detect LMD (Linux Malware Detect)
[NAME-4406] Changed logic for localhost check and more detailed logging
[NETW-2600] IPv6 configuration check for Linux
[NETW-3032] Added ARP monitoring software test
[PKGS-7308] Split package name and version for RPM based package manager
[PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM)
[PKGS-7352] Query security notices for DNF
[PKGS-7354] Perform integrity tests for package database (DNF)
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[STRG-1842] New test for checking authorized USB devices
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured
[TIME-3170] New test to check NTP configuration files

* Functions

[CreateTempFile] Create a temporary file
[DigitsOnly] New function to extract only numbers from a text string
[DisplayManual] New function to show text on screen without any markup
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
[IsWordWritable] Changed return codes for easier usage of the function
[LogText] Replaces the older logtext function
[RandomString] Creates a random string of characters
[RemoveTempFiles] Remove any created temporary files
[Report] Replaces the older report function
[ReportSuggestion] Allows two additional parameters to store details
(text and external reference to a solution)
[ReportWarning] Like ReportSuggestion() has additional parameters
[ShowComplianceFinding] Display compliance findings
[ShowSymlinkPath] Ensure readlink is available

* General improvements

  • When using pentest mode, it will continue without any delays (=quick mode).
  • Plugins execution is improved, with improved logged and counting of active
    plugins.
  • Data uploads: provide help when self-signed certificates are used.
  • Improved output for tests which before showed results as a warning, instead of
    just as a suggestion.
  • Lynis now uses different exit codes, depending on errors or finding warnings.
    This helps with automation and any custom scripting you want to apply.
  • Preparations to allow compressing the Lynis report file and enhance uploads.
  • Added --config option to show what settings file or profile is used.
  • Tool tips are displayed, to make Lynis even easier to use.
  • Show a warning if the release ...
Read more

Lynis 2.1.1

22 Jul 18:48

Choose a tag to compare

= Lynis 2.1.1 (2015-07-22) =

This release adds a lot of improvements, with focus on performance, and
additional support for common Linux distributions and external utilities.
We recommend to use this latest version.

* Operating system enhancements

Support for systems like CentOS, openSUSE, Slackware is improved.

* Performance

Performance tuning has been applied, to speed up execution of the audit on
systems with many files. This also includes code cleanups.

* Automatic updates

Initial work on an automatic updater has been implemented. This way Lynis
can be scheduled for automatic updating from a trusted source.

* Internal functions

Not all systems have readlink, or the -f option of readlink. The
ShowSymlinkPath function has been extended with a Python based check, which
is often available.

* Software support

Apache module directory /usr/lib64/apache has been added, which is used on
openSUSE.

Support for Chef has been added.

Added tests for CSF's lfd utility for integrity monitoring on directories and
files. Related tests are FINT-4334 and FINT-4336.

Added support for Chrony time daemon and timesync daemon. Additionally NTP
sychronization status is checked when it is enabled.

Improved single user mode protection on the rescue.service file.

* Other

Check for user permissions has been extended.
Python binary is now detected, to help with symlink detection.
Several new legal terms have been added, which are used for usage in banners.
In several files old tests have been removed, to further clean up the code.

* Bug fixes

Nginx test showed error when access_log had multiple parameters.
Tests using locate won't be performed if not present.
Fix false positive match on Squid unsafe ports [SQD-3624].
The hardening index is now also inserted into the report if it is not displayed
on screen.

* Functions

Added AddSystemGroup function

* New tests

Several new tests have been added:

[PKGS-7366] Scan for debsecan utility on Debian systems
[PKGS-7410] Determine amount of installed kernel packages
[TIME-3106] Check synchronization status of NTP on systemd based systems
[CONT-8102] Docker daemon status and gather basic details
[CONT-8104] Check docker info for any Docker warnings
[CONT-8106] Check total, running and unused Docker containers

* Plugins

[PLGN-2602] Disabled by default, as it may be too slow for some machines
[PLGN-3002] Extended with /sbin/nologin

* Documentation

A new document has been created to help with the process of upgrading Lynis.
It is available at https://cisofy.com/documentation/lynis/upgrading/

Lynis 2.1.0

17 Apr 10:56

Choose a tag to compare

= Lynis 2.1.0 (2015-04-16) =

General:


Screen output has been improved to provide additional information.

OS support:


CUPS detection on Mac OS has been improved. AIX systems will now use csum
utility to create host ID. Group check have been altered on AIX, to include
the -n ALL. Core dump check on Linux is extended to check for actual values
as well.

Software:


McAfee detection has been extended by detecting a running cma binary.
Improved detection of pf firewall on BSD and Mac OS. Security patch checking
with zypper extended.

Session timeout:


Tests to determine shell time out setting have been extended to account for
AIX, HP-UX and other platforms. It will now determine also if variable is
exported as a readonly variable. Related compliance section PCI DSS 8.1.8
has been extended.

Documentation: