Releases: CISOfy/lynis
Lynis 2.0.0
= Lynis 2.0.0 (2015-02-25) =
The first release within the 2.x branch! It includes several new features, to
simplify or improve auditing on Unix based systems, including BSD, Linux,
Mac OS and more traditional systems like AIX, HPUX and Solaris.
New features and many improvements are the reason for the bump to a major
release, also a beginning of a new era. Many tools to audit or harden systems
have being released, yet none have been maintained over a long period of time.
-
Support and Feedback
This software is supported and under development by CISOfy. By providing a
dual license, this software is kept up-to-date and enhanced. Both customers
and the community, benefit from this licensing. This release is available
thanks to your input and feedback. -
Helpers
New in this release is the support for helpers. Small utilities which enhance
Lynis by providing a single goal. The first helper available is to audit
Docker build files. -
Improved OS support
Many changes have been implemented to better support Linux, FreeBSD, NetBSD
DragonBSD and OpenBSD in particular. Upcoming releases will include smaller
"improvement rounds" for other systems as well. -
New technologies
More utilities and technologies are supported now. Technologies and tools
like systemd, Docker, nftables. -
Lynis Enterprise
As this code is shared, customers have an additional option to define to
what server they want to upload the audit results. Also, commercial plugins
have been bundled. -
New parameters
Several new options have been added:
--dump-options (see all options)
--report-file (define a different location for the report file) -
General
Documentation on the website has been extended: https://cisofy.com/support/
The man page, Lynis binary and several tests have improved texts.This release is exceptional in that it includes many changes. We have done
a lot of testing on different platforms. You could expect this software to be
stable. Still, an assumption is no guarantee and especially no substitution
for testing in your own environment. If you encounter issues, please report
them via one of the links above in this changelog.Enjoy this new release!
Release 1.6.4
-
1.6.4 (2014-11-04)
New:
-
Boot loader detection for AIX [BOOT-5102]
-
Detection of getcap and lsvg binary
-
Added filesystem_ext to report
-
Detect rootsh
Changes:
-
Hide errors when RPM database is faulty and show suggestion instead [PKGS-7308]
-
Allow OpenBSD to gather information on listening network ports [NETW-3012]
-
Don't trigger warning for Shellshock when doing segfault test [SHLL-6290]
-
Do not run Apache test on OpenBSD and strip control chars [HTTP-6624]
-
Extended AIDE test with configuration validation test [FIND-4314]
-
Improved Shellshock test regarding non-Linux support [SHLL-6290]
-
Added support for gathering volume groups on AIX [FILE-6311]
-
Properly parse PAM lines and add them to report [AUTH-9264]
-
Support for boot loader detection on OpenBSD [BOOT-5159]
-
Added uptime detection for OpenBSD systems [BOOT-5202]
-
Support for volume groups on AIX [FILE-6312]
-
Redirect errors when searching for readlink binary
Release 1.6.3
New:
-
Added tests for Shellshock bash vulnerability [SHLL-6290]
-
Added test to determine if Snoopy is used [ACCT-9636]
-
New test for qdaemon configuration file [PRNT-2416]
-
Test for GRUB boot loader password [BOOT-5122]
-
New test for qdaemon printer jobs [PRNT-2420]
-
Added ClamXav test for Mac OS X [MALW-3288]
-
Gentoo vulnerable packages test [PKGS-7393]
-
New test for qdaemon status [PRNT-2418]
-
Gentoo package listing [PKGS-7304]
-
Running Lynis without root permissions will start non-privileged scan
-
Systemd service and timer example file added
-
Added grub2-install to binaries
Changes:
-
Adjustments so insecure SSL protocols are detected in nginx config [HTTP-6710]
-
Directories will be skipped when searching for nginx log files [HTTP-6720]
-
Only gather unique name servers from /etc/resolv.conf [NAME-2704]
-
Properly detect mod_evasive on Gentoo and others [HTTP-6640]
-
Improved swap partition detection in /etc/fstab [FILE-6336]
-
Improvements to kernel detection (e.g. Gentoo) [KRNL-5830]
-
Test for built-in security options in YUM [PKGS-7386]
-
Improved boot loader detection for GRUB2 [BOOT-5121]
-
Split GRUB test into two tests [BOOT-5122]
-
Added Mac OS uptime check [BOOT-5202]
-
Improved GetHostID function for systems having only ip binary
-
Improved testing for symlinked binary directories
-
Minor adjustments to log output
-
Renamed dev directory to extras
Release 1.6.2
This is the 1.6.2 release.
-
1.6.2 (2014-09-22)
New:
-
IsVirtualMachine function to check if system is running in VM
VM types: Bochs CPU emulation, IBM z/VM, KVM, Linux Containers,
libvirt LXC driver (Linux Containers), Microsoft Virtual PC, OpenVZ,
Oracle VM VirtualBox, QEMU, Systemd Namespace container,
User-Mode Linux (UML), VMware products, XEN -
Detection for SaltStack configuration management tooling
-
ShowSymlinkPath function to check path behind a symlink
-
Check of configuration options of pacman [PKGS-7314]
-
Support for drill binary to check for Lynis update
-
FileIsEmpty function to check for empty files
-
Detect updates for Arch Linux [PKGS-7312]
-
Add detection for machine ID (systemd)
-
Added linux_config_file to report
-
Bash completion script for Lynis
-
Added detection of ss binary
Changes:
-
Extended system reboot check, to enable it for most Linux versions[KRNL-5830]
-
Improved inetd test to avoid false positive with xinetd process [INSE-8002]
-
Permissions check has been adjusted to allow packaging and pentest mode
-
Added detection for compressed Linux config file [KRNL-5728]
-
Added support for compressed Linux config file [KRNL-5730]
-
Store PID file in home directory of the user, if needed
-
Added usage of ss to gather listening ports [NETW-3012]
-
Additional permission added to CUPS check [PRNT-2307]
-
Extended telnet in inetd test [INSE-8016]
-
Fix for reading at.deny file [SCHD-7720]
-
Removed individual warnings [BOOT-5184]
-
Several improvements for Arch Linux
Version 1.6.1
Version 1.6.1