summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorKr1ss2020-11-14 14:02:41 +0100
committerKr1ss2020-11-14 14:02:41 +0100
commit8e7e7f8edb8dcf9a175e6cb6939886dbeec1a00e (patch)
treea79107df2ff979b1bcc64ab0a6360baab9ce7d9a
downloadaur-8e7e7f8edb8dcf9a175e6cb6939886dbeec1a00e.tar.gz
initial upload: lynis3 3.0.0-1
Diffstat
-rw-r--r--.SRCINFO25
-rw-r--r--CHANGELOG.md3429
-rw-r--r--PKGBUILD62
3 files changed, 3516 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..18b1aac00634
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,25 @@
+pkgbase = lynis3
+ pkgdesc = Security and system auditing tool to harden Unix/Linux systems
+ pkgver = 3.0.0
+ pkgrel = 1
+ url = https://cisofy.com/lynis
+ changelog = CHANGELOG.md
+ arch = any
+ license = GPL3
+ depends = sh
+ depends = awk
+ optdepends = net-tools: networking tests
+ optdepends = bind-tools: nameserver tests
+ optdepends = iptables: firewall tests
+ optdepends = bash-completion: completion for bash
+ provides = lynis=3.0.0
+ conflicts = lynis
+ backup = etc/lynis/default.prf
+ source = https://downloads.cisofy.com/lynis/lynis-3.0.0.tar.gz
+ source = https://downloads.cisofy.com/lynis/lynis-3.0.0.tar.gz.asc
+ validpgpkeys = 73AC9FC55848E977024D1A61429A566FD5B79251
+ sha512sums = 2f156002ff1cfcd2333c95b57e82e76260364fa58419b9414f2bb461aa77a22c2f1af57a6a934e88030baeb69aa9c274045cfcef359eb496d10acd5b886cb856
+ sha512sums = SKIP
+
+pkgname = lynis3
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 000000000000..3198681e12fb
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,3429 @@
+# Lynis Changelog
+
+## Lynis 3.0.0 (2020-06-18)
+
+This is a major release of Lynis and includes several big changes.
+Some of these changes may break your current usage of the tool, so test before
+deployment!
+
+### Security issues
+This release resolves two security issues
+* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova
+* CVE-2019-13033 - Discovered by Sander Bos
+
+### Breaking change: Non-interactive by default
+Lynis now runs non-interactive by default, to be more in line with the Unix
+philosophy. So the previously used '--quick' option is now default, and the tool
+will only wait when using the '--wait' option.
+
+### Breaking change: Deprecated options
+- Option: -c
+- Option: --check-update/--info
+- Option: --dump-options
+- Option: --license-key
+
+### Breaking change: Profile options
+The format of all profile options are converted (from key:value to key=value).
+You may have to update the changes you made in your custom.prf.
+
+### Security
+An important focus area for this release is on security. We added several
+measures to further tighten any possible misuse.
+
+## New: DevOps, Forensics, and pentesting mode
+This release adds initial support to allow defining a specialized type of audit.
+Using the relevant options, the scan will change base on the intended goal.
+
+### Added
+- Security: test PATH and warn or exit on discovery of dangerous location
+- Security: additional safeguard by testing if common system tools are available
+- Security: test parameters and arguments for presence of control characters
+- Security: filtering out unexpected characters from profiles
+- Security: test if setuid bit is set on Lynis binary
+- New function: DisplayException
+- New function: DisplayWarning
+- New function: Equals
+- New function: GetReportData
+- New function: HasCorrectFilePermissions
+- New function: Readonly
+- New function: SafeFile
+- New function: SafeInput
+- New option: --usecwd - run from the current working directory
+- New profile option: disable-plugin - disables a single plugin
+- New profile option: ssl-certificate-paths-to-ignore - ignore a path
+- New test: AUTH-9229 - check used password hashing methods
+- New test: AUTH-9230 - check group password hashing rounds
+- New test: BOOT-5109 - test presence rEFInd boot loader
+- New test: BOOT-5264 - run systemd-analyze security
+- New test: CRYP-7930 - test for LUKS encryption
+- New test: CRYP-7931 - determine if system uses encrypted swap
+- New test: CRYP-8004 - presence of hardware random number generator
+- New test: CRYP-8005 - presence of software random number generator
+- New test: DBS-1828 - PostgreSQL configuration files
+- New test: FILE-6394 - test virtual memory swappiness (Linux)
+- New test: FINT-4316 - presence of AIDE database and size test
+- New test: FINT-4340 - check dm-integrity status (Linux)
+- New test: FINT-4341 - verify status of dm-verity (Linux)
+- New test: INSE-8314 - test for NIS client
+- New test: INSE-8316 - test for NIS server
+- New test: NETW-2400 - test hostname for valid characters and length
+- New test: NETW-2706 - check DNSSEC (systemd)
+- New test: NETW-3200 - determine enabled network protocols
+- New test: PHP-2382 - detect listen option in PHP (FPM)
+- New test: PROC-3802 - check presence of prelink tooling
+- New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD
+- New test: TIME-3181 - check status of OpenNTPD time synchronisation
+- New test: TIME-3182 - check OpenNTPD has working peers
+- New report key: openssh_daemon_running
+- New command: lynis generate systemd-units
+- Sending USR1 signal to Lynis process will show active status
+- Measure timing of tests and report slow tests (10+ seconds)
+- Initial support for Clear Linux OS
+- Initial support for PureOS
+- Support for X Binary Package (xbps)
+- Added end-of-life data for Arch Linux and Debian
+- Detection and end-of-life data added for Amazon Linux
+- Detection of linux-lts on Arch Linux
+- Translations: Russian added
+
+### Changed
+- Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped)
+- Function: IsRunning supports the --user flag to define a related user
+- Function: PackageIsInstalled extended with pacman support
+- Profiles: unused options removed
+- Profiles: message is displayed when old format "key:value" is used
+- Binaries: skip pacman when it is the game instead of package manager
+- Security: the 'nounset' (set -u) parameter is now activated by default
+- AUTH-9228 - HP-UX support
+- AUTH-9234 - NetBSD support
+- AUTH-9252 - corrected permission check
+- AUTH-9266 - skip .pam-old files in /etc/pam.d
+- AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD
+- AUTH-9282 - fix: temporary variable was overwritten
+- AUTH-9408 - added support for pam_tally2 to log failed logins
+- AUTH-9489 - test removedd as it is merged with AUTH-9218
+- BANN-7126 - additional words for login banner are accepted
+- BOOT-5122 - check for defined password in all GRUB configuration files
+- CONT-8106 - support newer 'docker info' output
+- CRYP-7902 - optionally check also certificates provided by packages
+- CRYP-8002 - gather kernel entropy on Linux systems
+- FILE-6310 - support for HP-UX
+- FILE-6330 - corrected description
+- FILE-6374 - changed log and allow root location to be changed
+- FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab
+- FILE-6430 - minor code improvements and show suggestion with more details
+- FILE-7524 - optimized file permissions testing
+- FINT-4328 - corrected text in log
+- FINT-4334 - improved process detection for lfd
+- HOME-9304 - improved selection for normal users
+- HOME-9306 - improved selection for normal users
+- INSE-8050 - added com.apple.ftp-proxy and improved text output
+- INSE-8050 - corrected function call for showing suggestion
+- INSE-8116 - added rsync service
+- INSE-8314 - changed text of suggestion
+- INSE-8318 - test for TFTP client tools
+- INSE-8320 - test for TFTP server tools
+- INSE-8342 - renamed to INSE-8304
+- KRNL-5788 - don't complain about missing /vmlinuz for Raspi
+- KRNL-5820 - extended check to include limits.d directory
+- KRNL-5830 - skip test partially when running non-privileged
+- KRNL-5830 - detect required reboots on Raspbian
+- LOGG-2154 - added support for rsyslog configurations
+- LOGG-2190 - skip mysqld related entries
+- MACF-6234 - SELinux tests extended
+- MAIL-8804 - replaced static strings with translation-aware strings
+- MALW-3280 - Kaspersky detection added
+- MALW-3280 - CrowdStrike falcon-sensor detection added
+- NAME-4402 - check if /etc/hosts exists before performing test
+- NAME-4404 - improved screen and log output
+- NAME-4408 - corrected Report function call
+- NETW-3032 - small rewrite of test and extended with addrwatch
+- PHP-2372 - don't look in the cli configuration files
+- PKGS-7388 - only perform check for Debian/Ubuntu/Mint
+- PKGS-7410 - use multiple package managers when available
+- PKGS-7410 - added support for Zypper to test number of kernels
+- PRNT-2308 - check also for Port and SSLListen statements
+- PROC-3602 - allow different root directory
+- PROC-3612 - show 'Not found' instead of 'OK'
+- PROC-3614 - show 'Not found' instead of 'OK'
+- PROC-3802 - limit to Linux only (prelink package check)
+- SCHD-7702 - removed hardening points
+- SINT-7010 - limit test to only macOS systems
+- SSH-7402 - detect other SSH daemons like dropbear
+- SSH-7406 - strip OpenSSH patch version and remove characters (carriage return)
+- SSH-7408 - changed text in suggestion and report
+- SSH-7408 - added forced-commands-only option
+- SSH-7408 - VerifyReverseMapping removed (deprecated)
+- SSH-7408 - corrected OpenSSH server version check
+- STRG-1840 - renamed to USB-1000
+- STRG-1842 - added default authorized devices and renamed to USB-2000
+- TIME-3104 - use find to discover files in cron directories
+- TOOL-5002 - differentiate between a discovered binary and running process
+- TOOL-5160 - added support for OSSEC agent daemon
+- Perform additional check to ensure pacman package manager is used
+- Use 'pre-release/release' (was: 'dev/final') with 'lynis show release'
+- Use only locations from PATH environment variable, unless it is not defined
+- Show tip to use 'lynis generate hostids' when host IDs are missing
+- The 'show changelog' command works again for newer versions
+- Several code cleanups, simplification of commands, and code standardization
+- Tests using lsof may ignore individual threads (if supported)
+- Corrected end-of-life detection for CentOS 7 and CentOS 8
+- Tests can require detected package manager (--package-manager-required)
+- Do not show tool tips when quiet option is used
+- Improved screen output in several tests
+- Extended output of 'lynis update info'
+- Improved support for NetBSD
+- Test if profiles are readable
+- systemd service file adjusted
+- bash completion script extended
+- Updated man page
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.7.5 (2019-06-24)
+
+### Added
+- Danish translation
+- Slackware end-of-life information
+- Detect BSD-style (rc.d) init in Linux systems
+- Detection of Bro and Suricata (IDS)
+
+### Changed
+- Corrected end-of-life entries for CentOS 5 and 6
+- AUTH-9204 - change name to check in /etc/passwd file for QNAP devices
+- AUTH-9268 - AIX enhancement to use correct find statement
+- FILE-6310 - Filter on correct field for AIX
+- NETW-3012 - set ss command as preferred option for Linux and changed output format
+- List of PHP ini file locations has been extended
+- Removed several pieces of the code as part of cleanup and code health
+- Extended help
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.7.4 (2019-04-21)
+
+This is a bigger release than usual, including several new tests created by
+Capashenn (GitHub). It is a coincidence that it is released exactly one month
+after the previous version and on Easter. No easter eggs, only improvements!
+
+### Added
+- FILE-6324 - Discover XFS mount points
+- INSE-8000 - Installed inetd package
+- INSE-8100 - Installed xinetd package
+- INSE-8102 - Status of xinet daemon
+- INSE-8104 - xinetd configuration file
+- INSE-8106 - xinetd configuration for inactive daemon
+- INSE-8200 - Usage of TCP wrappers
+- INSE-8300 - Presence of rsh client
+- INSE-8302 - Presence of rsh server
+- Detect equery binary detection
+- New 'generate' command
+
+### Changed
+- AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
+- PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
+- PKGS-7420 - Detect toolkit to automatically download and apply upgrades
+- PKGS-7328 - Added global Zypper option --non-interactive
+- PKGS-7330 - Added global Zypper option --non-interactive
+- PKGS-7386 - Only show warning when vulnerable packages were discovered
+- PKGS-7392 - Skip test for Zypper-based systems
+- Minor changes to improve text output, test descriptions, and logging
+- Changed CentOS identifiers in end-of-life database
+- AIX enhancement for IsRunning function
+- Extended PackageIsInstalled function
+- Improve text output on AIX systems
+- Corrected lsvg binary detection
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.7.3 (2019-03-21)
+
+### Added
+- Detection for Lynis being scheduled (e.g. cronjob)
+
+### Changed
+- HTTP-6624 - Improved logging for test
+- KRNL-5820 - Changed color for default fs.suid_dumpable value
+- LOGG-2154 - Adjusted test to search in configuration file correctly
+- NETW-3015 - Added support for ip binary
+- SQD-3610 - Description of test changed
+- SQD-3613 - Corrected description in code
+- SSH-7408 - Increased values for MaxAuthRetries
+- Improvements to allow tailored tool tips in future
+- Corrected detection of blkid binary
+- Minor textual changes and cleanups
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.7.2 (2019-03-07)
+
+### Added
+- AUTH-9409 - Support for doas (OpenBSD)
+- AUTH-9410 - Test file permissions of doas configuration
+- BOOT-5117 - Support for systemd-boot boot loader added
+- BOOT-5177 - Simplify service filter and allow multiple dots in service names
+- BOOT-5262 - Check OpenBSD boot daemons
+- BOOT-5263 - Test permissions for boot files and scripts
+- Support for end-of-life detection of the operating system
+- New 'lynis show eol' command
+- Korean translation
+
+### Changed
+- AUTH-9252 - Adds support for files in sudoers.d
+- AUTH-9252 - Test extended to check file and directory ownership
+- BOOT-5122 - Use NONE instead of WARNING if no password is set
+- FIRE-4540 - Modify test to better measure rules
+- KRNL-5788 - Resolve false positive warning on missing /vmlinuz
+- NETW-2704 - Ignore inline comments in /etc/resolv.conf
+- PKGS-7388 - Improve detection for security archive
+- RPi/Raspian path to PAM_FILE_LOCATIONS
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.7.1 (2019-01-30)
+
+### Added
+- Support for macOS Mojave
+- Translation: Slovak
+
+### Changed
+- AUTH-9282 - Improve support for Red Hat and clones
+- FIRE-4534 - Additional support for Hands Off!, LuLu, and Radio Silence
+- LOGG-2190 - Added MariaDB filter for deleted files (tested on CentOS)
+- SHLL-6230 - Add /etc/bash.bashrc.local to umask check
+- Removed shift statement that did not work on all operating systems
+- Minor cleanups and enhancements
+- Small improvements to logging
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.7.0 (2018-10-26)
+
+### Added
+- MACF-6240 - Detection of TOMOYO binary
+- MACF-6242 - Status of TOMOYO framework
+- SSH-7406 - OpenSSH server version detection
+- TOOL-5160 - Check active OSSEC analysis daemon
+
+### Changed
+- Changed several warning labels on screen
+- AUTH-9308 - More generic sulogin for systemd rescue.service
+- OS detection now ignores quotes for getting the OS ID.
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.6.9 (2018-09-19)
+
+### Changed
+- Man page has been updated
+- Command 'lynis show options' provides up-to-date list
+- Option '--dump-options' is deprecated
+- Several options and commands have been extended with more examples
+- OS detection now supports openSUSE specific distribution names
+- Changed command output when using 'lynis audit system remote'
+- DBS-1882 - added /usr/local/redis/etc path and QNAP support
+- PKGS-7322 - updated solution text
+- KRNL-5788 - ignore exception when no vmlinuz file was discovered
+- TIME-3104 - extended logging for test
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.6.8 (2018-08-23)
+
+### Changed
+- BOOT-5104 - improved parsing of boot parameters to init process
+- PHP-2372 - test all PHP files for expose_php and improved logging
+- Alpine Linux detection for Docker audit
+- Docker check now tests also for CMD, ENTRYPOINT, and USER configuration
+- Improved display in Docker output for showing which keys are used for signing
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.6.7 (2018-08-09)
+
+### Changed
+- BOOT-5104 - Added busybox as a service manager
+- KRNL-5677 - Limit PAE and no-execute test to AMD64 hardware only
+- LOGG-2190 - Ignore /dev/zero and /dev/[aio] as deleted files
+- SSH-7408 - Changed classification of SSH root login with keys
+- Docker scan uses new format for maintainer value
+- New URL structure on CISOfy website implemented for Lynis controls
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.6.6 (2018-07-06)
+
+### Changed
+* New format of changelog (https://keepachangelog.com/en/1.0.0/)
+* KRNL-5830 - Improved log text about running kernel version
+
+### Fixed
+* Under some condition no hostid2 value was reported
+* Solved 'extra operand' issue with tr command
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.5 (2018-06-26)
+
+Tests:
+------
+
+* [MAIL-8804] - Exim configuration test
+* [NETW-2704] - Use FQDN to test status of a nameserver instead of own IP address
+* [SSH-7402] - Improved test to allow configurations with a Match block
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.4 (2018-05-02)
+
+Changes:
+--------
+* Several contributions merged, including grammar improvements
+* Initial support for Ubuntu 18.04 LTS
+* Small enhancements for usage
+
+Tests:
+------
+* [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell
+* [DNS-1600] - Initial work on DNSSEC validation testing
+* [NETW-2704] - Added support for local resolver 127.0.0.53
+* [PHP-2379] - Suhosin test disbled
+* [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting
+* [TIME-3160] - Improvements to detect step-tickers file and entries
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.3 (2018-03-07)
+
+Changes:
+--------
+* Change in routine for host identifiers
+
+Tests:
+------
+* [CRYP-7902] - Do prevalidation for certificates before testing them
+* [HRDN-7222] - Enhanced compiler permission test
+* [NAME-4402] - Improved test to filter out empty lines
+* [PKGS-7384] - Changes to detect yum-utils package and related tooling
+
+Plugins:
+--------
+* [PLGN-2680] - cron file permissions
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.2 (2018-02-13)
+
+Changes:
+--------
+* Bugfix for Arch Linux (binary detection)
+* Textual changes for several tests
+* Update of tests database
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.1 (2018-01-26)
+
+Changes:
+--------
+* Tests can have more than 1 required OS (e.g. Linux OR NetBSD)
+* Added 'system-groups' option to profile (Enterprise users)
+* Overhaul of default profile and migrate to new style (setting=value)
+* Show warning if old profile options are used
+* Improved detection of binaries
+* New group 'usb' for tests related to USB devices
+
+Tests:
+------
+* [FILE-6363] - New test for /var/tmp (sticky bit)
+* [MAIL-8802] - Added exim4 process name to improve detection of Exim
+* [NETW-3030] - Changed name of dhcp client name process and added udhcpc
+* [SSH-7408] - Restored UsePrivilegeSeparation
+* [TIME-3170] - Added chrony configuration file for NetBSD
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.0 (2018-01-18)
+
+Changes:
+--------
+* Binary paths are now sorted
+* Greek language added
+* systemd detection improved
+* VirtualBox detection extended
+* Several code enhancements
+
+Tests:
+------
+* [PHP-2379] - Small enhancement to resolve error on screen in some cases
+* [MALW-3280] - Improved detection for BitDefender tooling
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.9 (2018-01-12)
+
+Changes:
+--------
+* Don't show upgrade notice when being quiet/silent
+* Added --noplugins as an alias to skip execution of plugins
+* Use PATH variable for path detection, with predefined list as a backup
+
+Tests:
+------
+* [KRNL-6000] - Multiple values are now allowed per sysctl key
+* [KRNL-6000] - Individual tests can be skipped (skip-test=KRNL-6000:<sysctl-key>)
+* [KRNL-6000] - Solution text has been added
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.8 (2017-12-28)
+
+Changes:
+--------
+* Check for empty files improved on several locations
+* New allow-auto-purge setting in profile for short-lived systems
+* Additional checks for log and report file
+* Changes to support time synchronization in old and newer systemd releases
+* Enhanced output for systems other than Linux
+
+Plugins:
+--------
+* New class (hardware) added and enabled in default profile
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.7 (2017-10-29)
+
+Changes:
+--------
+* Update of Portuguese translation
+* Added --silent as alias for --quiet
+* Reduced screen output when running non-privileged
+* IsRunning function now allows full name process match
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.6 (2017-10-27)
+
+Changes:
+--------
+* Added additional keywords for banners
+* DirectAdmin extensions
+* Enhancements to process detection
+* Spanish translation extended
+* Extended HP-UX support
+* Only show relevant messages in report
+
+Tests:
+------
+* [NETW-2705] - Allow local resolvers to bypass requirement for 2+ name servers
+* [SSH-7408] - Define default 'delayed' compression as a sane value for SSH tests
+* [SHLL-6220] - Improved detection of shell settings
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.5 (2017-09-07)
+
+Changes:
+--------
+* Minor release to solve errors on screen
+
+Tests:
+------
+* CRYP-7902 - certificate validation changed
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.4 (2017-09-05)
+
+Changes:
+--------
+* Improve systemd detection
+* Detect Linux Mint version
+* Older versions of Mac OS X are detected as well
+* Norwegian translation added
+* PAM plugin extended
+
+Tests:
+------
+* CRYP-7902 - certificate validation changed
+* FIRE-4508 - Improved screen output
+* PKGS-7380 - NetBSD vulnerability detection adjusted
+* TOOL-5002 - Improved detection of Ansible directories and files
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.3 (2017-08-17)
+
+Changes:
+--------
+* DirectAdmin location added
+* Small adjustments to text
+* Enhanced detection for LXC and LXC
+* Added /opt/apache as a target location
+* Default log directory set for HP-UX
+* Screen output improvements
+
+Tests:
+------
+* CRYP-7902 - Prevent test from showing error on screen
+* FILE-6310 - Detection of mount point now match exact name
+* HRDN-7230 - Show single line when no malware scanner was detected
+* NETW-3006 - Updated detection of MAC addresses on Linux
+* PKGS-2379 - Improvement for OpenBSD usage of PHP suhosin
+* TOOL-5002 - Detection capabilities for Ansible added
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.2 (2017-07-10)
+
+Changes:
+--------
+- Support for PHP on CloudLinux
+- Check for presence of locale binary
+- Suhosin detection improvements
+- Generic code improvements
+- Changed 'lynis audit system remote' routine
+- Support for macOS High Sierra
+- French translation updated
+
+Lynis Enterprise:
+-----------------
+- Allow 'tags' and 'system-customer-name' to be specified via Lynis client
+
+Tests:
+------
+* CONT-8102 - Check for dockerd instead of docker -d
+* FIRE-4594 - Check for presence Advanced Policy Firewall (APF)
+* PKGS-2379 - New test for PHP suhosin extension status
+* PKGS-7370 - Only use debsums on Debian
+* KRNL-6000 - Added kernel.dmesg_restrict testing
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.1 (2017-05-31)
+
+Changes:
+--------
+- Hebrew translation by Dolev Farhi
+- Improved detection of SSL certificate files
+- Minor changes to improve logging and results
+
+Tests:
+------
+* BOOT-5104 - Added support for macOS
+* FIRE-4524 - Determine if CSF is in testing mode
+* HTTP-6716 - Improved log message
+
+---------------------------------------------------------------------------------
+
+Lynis 2.5.0 (2017-05-03)
+
+During the development of this release, the project got informed about a flaw
+that possibly could be abused by a local attacker. Even with the small risk of
+success, upgrading is highly recommended. See details on
+[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)
+
+This release is a special maintenance release with focus on cleaning up the code
+for readability and future expansion.
+
+Changes:
+--------
+* Use ROOTDIR variable instead of fixed paths
+* Introduction of IsEmpty and HasData functions for readability of code
+* Renamed some variables to better indicate their purpose (counting, data type)
+* Removal of unused code and comments
+* Deleted unused tests from database file
+* Correct levels of identation
+* Support for older mac OS X versions (Lion and Mountain Lion)
+* Initialized variables for more binaries
+* Additional sysctls are tested
+
+Tests:
+------
+* MALW-3280 - Extended test with Symantec components
+* PKGS-7332 - Detection of macOS ports tool and installed packages
+* TOOL-5120 - Snort detection
+* TOOL-5122 - Snort configuration file
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.8 (2017-03-29)
+
+Changes:
+* More PHP paths added
+* Minor changes to text
+* Show atomic test in report
+
+Tests:
+------
+* MAIL-8820 - New Postfix configuration check
+* TOOL-5002 - Extended Puppet detection
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.7 (2017-03-22)
+
+Changes:
+* Minor code cleanups
+
+Tests:
+------
+* BANN-7126 - Added more words to test for
+* CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler
+* HTTP-6641 - Support detection for Apache module mod_reqtimeout
+* PKGS-7388 - Minor change to detect security repositories
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.6 (2017-03-15)
+
+Changes:
+--------
+* Added FileInstalledByPackage function (dpkg and rpm supported)
+* Mark Arch Linux version as rolling release (instead of unknown)
+* Support for Manjaro Linux
+* Escape files when testing if they are readable
+* Code cleanups
+
+Tests:
+------
+* CRYP-7902 - Test more certificates names, but only if they are not part of a package
+* FILE-7524 - Reduce standard screen output for file permissions check
+* MALW-3280 - Added Avira detection as a malware scanner
+* NAME-4018 - Only perform name services test when resolv.conf file exists
+* PKGS-7387 - Check all repositories if they use GPG signing
+* SCHD-7704 - Permission checks
+* TIME-3104 - Check permissions before open files
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.5 (2017-03-09)
+
+Changes:
+--------
+* Allow host alias to be specified in profile
+* Code readability enhancements
+* Solaris support has been improved
+
+Tests:
+------
+* AUTH-9328 - Add missing 0027 and 0077 umasks
+* BOOT-5104 - Add initsplash and minor code enhancements
+* DBS-1882 - Include Redis configuration file
+* FIRE-4502 - Improved detection for iptables modules when using OpenVZ
+* PKGS-7381 - Enhanced package audit for FreeBSD
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.4 (2017-03-01)
+
+Changes:
+--------
+* Fix for upload function to be used from profile
+* Reduce screen output for mail section, unless --verbose is used
+* Code cleanups and removed 'update release' command
+
+Tests:
+------
+* AUTH-9308 - Improved test for sulogin string (Debian systems)
+* FILE-6372 - Properly deal with comment on lines in /etc/fstab
+* MAIL-8817 - New test to check Postfix configuration for errors
+* SSH-7408 - Corrected SSH check
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.3 (2017-02-22)
+
+Changes:
+--------
+* Colored output can now be tuned with profile (colors=yes/no)
+* Allow data upload to be set as a profile option
+
+Tests:
+------
+* AUTH-9308 - Improved test for sulogin string
+* MAIL-8818 - Test if Linux version is known before comparing in Postfix banner
+* TIME-3116 - Skip stratum 16 items for time pools
+* TIME-3148 - New test to detect TZ variable
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.2 (2017-02-15)
+
+Changes:
+--------
+* Properly detect SSH daemon version
+
+Tests:
+------
+* AUTH-9208 - Removed double logging
+* AUTH-9222 - Improve logging for double groups
+* AUTH-9226 - Improve logging for double groups
+* BOOT-5177 - Sort systemctl unit files to make them unique
+* DBS-1818 - New test to detect MongoDB
+* DBS-1820 - New test for MongoDB authentication
+* FIRE-4512 - Lowered minimum number of iptables firewall rules
+* FIRE-4586 - Fix applied when searching for "-j LOG"
+* HRDN-7222 - Changed reporting key of world executable compilers
+* SSH-7408 - Added filtering for PermitRootLogin (prohibit-password, OpenSSH 7.0)
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.1 (2017-02-09)
+
+Changes:
+--------
+* Generic code improvements
+* Improved the update check and display
+* Finish, Portuguese, and Turkish translation
+* Extended support and tests for DragonFlyBSD
+* Option to configure hostid and hostid2 in profile
+* Support for Trend Micro and Cylance (macOS)
+* Remove comments at end of nginx configuration
+* Used machine ID to create host ID when no SSH keys are available
+* Added detection of iptables-save to binaries
+
+Tests:
+------
+* FIRE-4586 - Check logging for firewall components
+* KRNL-5788 - Remove exception and style improvements
+* KRNL-5830 - Improved logging
+
+---------------------------------------------------------------------------------
+
+Lynis 2.4.0 (2016-10-27)
+
+Exactly one month after previous release, the Lynis project is proud to announce
+a new release. This release had the specific focus to improve support for macOS
+users. Thanks to testers and contributors to make this possible.
+
+New:
+----
+* New group "system integrity" added
+* Support for clamconf utility
+* Chinese translation (language=cn)
+* New command "upload-only" to upload just the data instead of a full audit
+* Enhanced support for macOS, including HostID2 generation for macOS
+* Support for CoreOS
+* Detection for pkg binary (FreeBSD)
+* New command: lynis show hostids (show host ID)
+* New command: lynis show environment (hardware, VM, or container type)
+* New command: lynis show os (show operating system details)
+
+Changes:
+--------
+* Several new sysctl values have been added to the default profile
+* Existing tests have been enhanced to support macOS
+
+Tests:
+------
+* AUTH-9234 - Support for macOS user gathering
+* BOOT-5139 - Support for machine roles in LILO test
+* BOOT-5202 - Improve uptime detection for macOS and others
+* FIRE-4518 - Improve pf detection and mark as root-only test
+* FIRE-4530 - Don't show error on screen for missing IPFW sysctl key
+* FIRE-4534 - Check Little Snitch on macOS
+* INSE-8050 - Test for insecure services on macOS
+* MACF-6208 - Allow non-privileged execution and filter permission issues
+* MALW-3280 - Detection for Avast and Bitdefender daemon on macOS
+* NETW-3004 - Support for macOS
+* PKGS-7381 - Improve test for pkg audit on FreeBSD
+* TIME-3104 - Chrony support extended
+
+Plugins (community and commercial):
+-----------------------------------
+* PLGN-1430 - Gather installed software packages for macOS
+* PLGN-4602 - Support for Clam definition check on macOS
+
+---------------------------------------------------------------------------------
+
+Lynis 2.3.4 (2016-09-27)
+
+Changes:
+--------
+* Skip update message when using the 'show' helper
+* Instead of opening the log file, you can now use 'lynis show details' followed
+ by the test ID. It will show the relevant section.
+* Several tests have extended log details
+* Many style improvements as part of ongoing refactoring of the code
+* Detection of nftables improved
+* Replaced cut, sed, tr and others commands with binary variable (for forensics
+ and future intrusion checking capabilities)
+* Swedish translation provided by Peter Carlsson
+* Support for arch-audit to scan for presence of vulnerable packages on Arch Linux
+* OS detection improved
+
+Tests:
+------
+* CONT-8107 - New test checking number of Docker containers
+* CRYP-7902 - Gather more details regarding certificates
+* DBS-1816 - Define skip reason
+* FILE-6344 - Adjusted /proc test for hidepid option
+* FILE-6362 - Removed warning and add skip reason
+* FIRE-4520 - Change test to use detected binary
+* FIRE-4520 - New test to check for empty nftables ruleset
+* KRNL-5820 - Corrected function and style improvements
+* LOGG-2146 - Textual change
+* NAME-4408 - Check localhost to IP mapping
+* PKGS-7320 - Test for arch-audit tool
+* PKGS-7322 - Check vulnerable packages on Arch Linux
+* PKGS-7381 - Extended vulnerable package detection for FreeBSD
+* TIME-3104 - timedatectl test now detects NTP synchronization properly
+
+
+---------------------------------------------------------------------------------
+
+Lynis 2.3.3 (2016-08-23)
+
+
+Upgrade note
+------------
+Customized profiles that included sysctl settings need to be altered. See
+default.prf for the correct format of the lines.
+
+
+Additions
+---------
+* OpenStack detection
+* Option to disable automatic refresh of software repository
+
+
+Languages
+---------
+* Japanese translation added, contributed by Yukio Takahara
+
+
+Fixes
+-----
+* Some tests did not show a warning text
+* Typo in man page for tests-from-group
+
+
+Parameters
+----------
+* New --bin-dirs to define binary directories to scan
+* New option --root-dir to specify a different file system to scan
+
+
+Nginx
+-----
+* Rewrite of configuration parsing
+
+
+PHP
+---
+* Support for PHP 5.6
+
+
+Redis
+-----
+* Redis test to detect configuration files
+* Test Redis configuration for several best practices
+* Perform permission check on Redis configuration files
+
+
+Experimental features (in development)
+--------------------------------------
+* --bin-dirs - set what directories should be scanned for binaries
+* --root-dir - define the root of the file system, to allow forensics
+
+
+Settings
+--------
+* Many settings have a new alias (with dashes instead underscores)
+* New setting 'show-report-solution' to show solution in report
+
+
+Functions
+---------
+* ExitFatal can now exit program with optional text
+* IsNotebook can detect if system is a notebook (or not)
+* ShowSymlinkPath and FileIsReadable test for at least one argument
+* StoreNginxSettings will save parsed nginx configuration
+
+
+Tests
+-----
+* BOOT-5108 - Support for Syslinux bootloader
+* DBS-1882 - Redis configuration detection
+* DBS-1884 - Redis 'requirepass' check
+* DBS-1886 - Redis 'rename-command CONFIG' check
+* DBS-1888 - Redis 'bind localhost' check
+* FILE-6374 - Improved logging
+* KRNL-5830 - Improved logging for detected Linux kernels
+* KRNL-6000 - Support for multiple profiles and new format style
+* LOGG-2190 - Ignore MySQL files in /tmp from early MySQL 5.x releases
+* LOGG-2192 - New test to check opened log files that are empty
+
+Lynis Enterprise integration
+----------------------------
+* Tag 'redis-server' is added for systems running Redis
+
+
+---------------------------------------------------------------------------------
+
+Lynis 2.3.2 (2016-08-09)
+
+
+Categories and Groups
+---------------------
+Tests are now grouped by their focus area and named 'groups' accordingly.
+Besides groups, each test will belong to a category (performance, privacy, or
+security).
+
+Commands: lynis show categories, lynis show groups
+Options: --tests-from-category, --tests-from-group
+
+Note: You might need to change your scripts if you previously defined the group
+of tests to scan.
+
+
+Development
+
+-----------
+A new 'strict' option is available in the profiles and by default enabled for
+the initialization phases of Lynis. It will perform a strict code check for the
+tests, to detect any uninitialized variables, improving code quality.
+
+
+Helpers
+-------
+With 'lynis update check' you can now check for updates. This is the preferred
+new method.
+
+The command 'lynis show changelog' allows reviewing the changes. Optionally a
+release can be specified as additional argument.
+
+
+Languages
+---------
+Initial translation for German has been contributed by Kai Raven. The Italian
+translation by Stefano Marty (stefanomarty). Hungarian translation by Zoltan
+Paldi (paldiz)
+
+
+Profiles
+--------
+Parsing of the profiles has been improved, which prevented some settings from
+overriding default settings.
+
+Tests
+------
+* AUTH-9212 - Added prerequisite to log
+* AUTH-9216 - Simplified test and make it more efficient
+* AUTH-9218 - Clean ups and improve readability
+* AUTH-9226 - Style, text, and removed warning
+* AUTH-9228 - Provide just a suggestion instead of warning
+* AUTH-9268 - Improve test for readability
+* AUTH-9328 - Test /etc/profile.d for umask setting
+* AUTH-9406 - Readability and code style changes
+* CONT-8102 - Determine if all Docker tests should be performed
+* DBS-1880 - Initial support for Redis server
+* HTTP-6720 - Readability improvement of test
+* KRNL-5830 - Readability and style improvements, ignore rescue images
+* MAIL-8818 - Style and refactoring
+* PHP-2211 - Readability improvement and code style changes
+* PHP-2374 - Changed text and cleanups
+* PHP-2376 - Log result to log file instead of report
+* PKGS-7383 - Simplified test
+* PKGS-7388 - Style and readability improvements
+* TIME-3106 - Corrected string to test for status
+* TOOL-5102 - Split of fail2ban tests
+* TOOL-5104 - Test for enabled fail2ban jails
+
+
+Languages
+---------
+Translation of Spanish (es) added
+Proper display of text strings when accented characters are used
+More text strings added
+
+
+General
+-------
+* Added bold and header as new colors
+* Changed header and footer of screen output
+* Allow atomic tests to be skipped (e.g. SSH-7408)
+* Extended tests database with category (lynis show tests)
+* By default Lynis will now run in 'quick mode' and not break after each
+section. You can get this behavior by adding the --wait option.
+
+
+Functions
+---------
+* RemoveColors - New test to clear colors
+* DisplayError - Display error on screen in uniform format and colors
+ Use an optional exit code to quit the program
+* SkipAtomicTest - This function is now properly working with lowercase strings
+
+
+Website
+-------
+Several controls on the website are added or updated, including:
+* FILE-6344
+* FINT-4315
+* FINT-4402
+* HTTP-6714
+* MACF-6234
+* NAME-4018
+* NAME-4402
+* PHP-2374
+* PROC-3612
+* TIME-3106
+
+---------------------------------------------------------------------------------
+
+
+Lynis 2.3.1 (2016-07-14)
+-----------------------------------------------
+
+This is a minor patch to improve upon findings in version 2.3.0.
+
+Changes:
+- Convert all skipped tests to uppercase
+- Only add license key when it is defined
+- Updated French translation
+- Exclude custom.prf from tarball (download via website)
+
+
+--------------------------------------------------------------
+
+
+Lynis 2.3.0 (2016-07-13)
+-----------------------------------------------
+
+We are excited to announce this major release of auditing tool Lynis. Several big
+changes have been made to core functions of Lynis. These changes are the next of
+simplification improvements we made. There is a risk of breaking your existing
+configuration. See the tips below to upgrade.
+
+This release will soon also be available in our software repository. For more
+details see https://packages.cisofy.com to install and upgrade Lynis.
+
+
+Upgrade tips
+============
+
+Default profile and custom profiles:
+Settings of multiple profiles can now be merged. Instead of making changes to
+default.prf, copy your changes to custom.prf. Use 'lynis show profiles' to show
+any detected profiles. Only include your changes in custom.prf, to keep the
+configuration clean and tidy. They will then overwrite the defaults. Use
+'lynis show settings' to see if they are applied.
+
+Check your cron jobs:
+When using --quiet, the output will be really quiet now. Use --show-warnings-only
+if you still want to see the warnings. Lynis will now exit with error 0, even
+when warnings have been found. Use option error-on-warnings=yes (custom.prf) to
+exit with code 78 when it has any warnings.
+
+
+Details
+=======
+
+Ansible
+-------
+New Ansible examples for deployment: https://github.com/CISOfy/lynis-ansible
+
+
+Databases
+---------
+Lynis will check also for DB2 instances and report the status.
+
+
+Developer Mode
+--------------
+With this release the developer mode is introduced. It can be activated with the
+--developer option, or developer-mode=yes in profile. In development mode, some
+details are displayed on screen, to help testing of existing or new tests.
+
+To get easy access, a new profile has been added (developer.prf).
+
+Examples:
+lynis audit system --profile developer.prf
+lynis audit system --developer
+
+A new software development kit (SDK) for Lynis is available on GitHub. This will
+help contributors and developers to test software quality, including linting and
+running unit tests. The devkit also supports building DEB and RPM files for easy
+deployment. The repository can be found on https://github.com/CISOfy/lynis-sdk
+
+
+Documentation
+-------------
+Template files have been updated to provide better examples on how to create
+custom tests and plugins.
+
+To simplify the usage of Lynis, a new helper utility has been added: show.
+This helper will show help, or values (e.g. version, plugin directories, etc).
+Some examples include: lynis show options, lynis show commands, lynis show
+version, etc. See lynis show for all available details.
+
+
+File Systems
+------------
+The XFS file system detection has been added. Mount points /dev/shm and /var/tmp
+are now checked for their options. Comparison of the mount options has been
+improved. A new test has been added to check if /var/tmp has been bound to /tmp.
+
+
+Language Support
+----------------
+Lynis now supports language translations, with the language profile option.
+Initial languages: Dutch (nl), English (en), French (fr).
+
+You can help by translating the language files in the db directory.
+
+
+Mac OS X Improvements
+---------------------
+Package manager Brew has been added
+
+
+nginx
+-----
+Show suggestion when weak protocol is used, like SSLv2 or SSLv3. The protocols
+are now also parsed and stored as details in the report file.
+
+
+Packages
+--------
+Systems running CentOS, Debian, openSUSE, RHEL, Ubuntu and others, may now use
+our own software repository: https://packages.cisofy.com
+
+Performance
+-----------
+Several performance improvements have been implemented. This includes rewriting
+tests to invoke less commands and enhanced hardware detection at the beginning.
+
+
+Plugins
+-------
+You can set the plugin directory now also via a profile. First match wins.
+Priority: 1) argument, 2) profile, 3) default
+
+--plugindir is now an alias for --plugin-dir
+
+
+Profiles
+--------
+Lynis now support multiple profiles. By using a file 'custom.prf', it allows to
+inherit values first from default.prf, then merge it with custom.prf.
+
+Several tests have been altered to support multiple profiles.
+
+New profile options:
+ quick=yes|no (similar to --quick)
+ developer (see Developer section)
+ check-value
+
+
+Remote scanning
+---------------
+Although Lynis is a aimed on running on local hosts, there is still an ongoing
+demand for running remote scans. With 'lynis audit system remote' tips are now
+provides to perform such a scan via SSH.
+
+
+Software
+--------
+Zypper calls are now marked with a non-interactive flag to prevent it waiting for
+any interactive input.
+
+
+Solaris
+-------
+Improve execution for Solaris systems.
+
+
+SSH
+---
+The configuration of SSH is now parsed from the SSH daemon directly. This enables
+handling with new defaults more easily, as OpenSSH sometimes introduces new keys,
+or change their default value between versions.
+
+
+Systemd
+-------
+Added support for detecting systemd and reporting it as a service manager. The
+systemd plugin has been released as a community plugin.
+
+
+Uploads
+-------
+Solved a bug which added the proxy configuration twice.
+
+Profile options: upload-tool and upload-tool-arguments
+
+
+General Improvements
+--------------------
+The screen output has been improved, to show more meaningful things when some
+parameters are missing. Several old variables and lines have been cleaned up.
+
+The Display function now allows the --debug flag. This helps in showing some
+lines on screen, which would normally be hidden (e.g. items not found or
+matched).
+
+Logging has been improved in different areas, like cleaning up and add more
+relevant messages where needed.
+
+The interface colors have been changed, to make it more obvious how the software
+can be used. Also the wait line between categories have been altered, to properly
+display on systems with a white background.
+
+When no auditor name has been specified, it will say that instead of unknown.
+
+Functions file has been cleaned up, including adding developer debug information
+when old functions are still be used. Later on these functions will be deleted,
+and therefore placed at the bottom.
+
+
+Program Options
+---------------
+* --developer - Enable developer mode
+* --verbose - Show more details on screen, reduce in normal mode
+* --show-warnings-only - Only show warnings on screen
+* --skip-plugins - Disable running any plugins (alias: --no-plugins)
+* --quiet - Changed: become really quiet
+* --config - Removed: use 'lynis show profiles' instead
+
+
+Functions
+---------
+* AddSetting - New function to store settings (lynis show settings)
+* ContainsString - New function to search for a string in another one
+* Display - Added --debug, showing details on screen in debug mode
+ - Reset identation for lines which are too long
+* DisplayToolTip - New function to display tooltips
+* IsDebug - Check for usage of --debug
+* IsDeveloperMode - Status for development and debugging (--developer)
+* IsDeveloperVersion - Check if release is still under development
+* IsRunning - Added return state
+* IsVerbose - Check for usage of --verbose
+* IsOwnedByRoot - Check ownership of files and directories
+* IsWorldWritable - Improved test with additional details
+* PortIsListening - Check if a service it listening to a specified port
+* SkipAtomicTest - Allow smaller tests to be skipped (e.g. SSH-7408)
+
+
+Tests
+-----
+* AUTH-9234 - Test for minimal UID in /etc/login.defs when available
+* AUTH-9254 - Allow allow root to use this test, due to permissions
+* AUTH-9262 - Restructure of test, support for pwquality PAM
+* AUTH-9288 - Only check for accounts which have a maximum password age set
+* AUTH-9308 - Check for systemd targets
+* BANN-7119 - /etc/motd test disabled
+* BANN-7122 - /motd content test disabled
+* BOOT-5122 - Extended GRUB password check
+* BOOT-5184 - Improve file permissions check for CentOS 7 machines
+* DBS-1860 - Check for status of DB2
+* CRYP-7902 - Improved logging
+* FILE-6354 - Restrict searching in /tmp to mount point only
+* FILE-6372 - Properly checking for /etc/fstab now, ignore comments
+* FILE-6374 - Added /dev/shm and /var/tmp
+* FILE-6374 - New test for /var/tmp
+* FILE-6430 - New test for detecting specific filesystems
+* FILE-7524 - Support for multiple profiles
+* HTTP-6632 - Fix for proper detection of Apache modules
+* HTTP-6642 - Test disabled
+* HTTP-6710 - Trigger suggestion when weak protocols SSLv2/SSLv3 are used
+* KRNL-5788 - Support for kernel with grsecurity patches (linux-image-grsec)
+* KRNL-5820 - Improved logging for test
+* KRNL-6000 - Allow multiple profiles to be used, store more details
+* LOGG-2190 - Improvements for Fail2Ban and cron-related files
+* NETW-3014 - Support for multiple profiles
+* PKGS-7303 - Added Brew package manager
+* PKGS-7354 - Test for DNF repoquery plugin before using it
+* PKGS-7381 - Check for vuln.xml file
+* PRNT-2306 - Check if files are readable before parsing them
+* PROC-3612 - Removed wchan output to prevent grsecurity issues
+* SCHD-7702 - Test for running cron daemon
+* SCHD-7704 - Test ownership of cronjob files
+* SSH-7408 - Show weak configurations of SSH on screen as a suggestion
+* TOOL-5102 - Test for Fail2ban tooling
+* TOOL-5190 - Test for intrusion detection or prevention system
+
+
+Plugins
+-------
+* PLGN-1602 - Marked as root-only
+* PLGN-2612 - Marked as root-only
+* PLGN-2804 - Marked as root-only
+* PLGN-3202 - Marked as root-only
+
+
+--------------------------------------------------------------
+
+Lynis 2.2.0 (2016-03-18)
+
+We are proud to present this new release of Lynis. It is a major upgrade, and the
+result of many months of work. This version includes new features and tests, and
+many small enhancements. We encourage all to test and upgrade to this latest
+release.
+
+* Highlights
+------------
+The biggest change in this release is the optimization of several functions. It
+allows for better detection, and dealing with the quirks, of every single
+operating system. Some functions were fortified to handle unexcepted results
+better, like missing a particular binary, or not returning the hostname.
+
+This release also enables tests to be shorter, by adding new functions. Some
+functions were renamed or slightly changed, to provide more value to the tooling.
+Another big change in this release is a wide set of optimizations and quality
+testing. Outdated pieces were removed, or rewritten, to support features seen in
+newer distributions.
+
+In the area of compliance, adjustments have been made to start supporting more
+in-depth testing for this. Ideal for companies who have a particular compliance
+need, or want to test and enforce the system hardening levels of their systems.
+
+Last but not least, many small changes make this software easier to use. On
+our website we added new guides to provide help and support.
+
+We like to thank our contributors, in particular Kamil Boratyński, Steve Bosek,
+and Eric Light. Their contributions helped us greatly shaping this release.
+
+
+Below are the changes per category:
+
+* Automation tools
+------------------
+Detection for CFEngine has been improved. Also additional logging and reporting
+of automation tools.
+
+* Authentication
+----------------
+Depending on the operating system, Lynis now tries to determine if failed logins
+are properly logged. This includes checking for /etc/login.defs file [AUTH-9408].
+Merged previous password check for Solaris into test AUTH-9228. User ids on AIX
+will be gathered and added to the report [AUTH-9234].
+
+New plugin is introduced to analyze PAM settings. It including items like:
+
+- Two-factor authentication methods
+- Minimum password length, password strength and protection status against brute
+ force cracking
+- Password history
+
+Report option: auth_failed_logins_logged
+
+* Boot
+------
+Added detection for Mac OSX boot loader. Initial support to test UEFI settings,
+including Secure Boot option. Options boot_uefi_booted and
+boot_uefi_booted_secure added to report file
+
+* Compliance
+------------
+This release prepares for upcoming extensions to assist with compliance testing.
+The profile has a new option, which can be used to define what standards should
+be tested for, if any test is available. The related option is:
+compliance_standards
+
+Right now these standards can be selected:
+- CIS benchmarks
+- HIPAA
+- ISO27001/ISO27002
+- PCI DSS
+
+Note that additional tests will be implemented in future releases and then tagged
+to these particular standards.
+
+* DNS and Name services
+-----------------------
+Support added for Unbound DNS caching tool [NAME-4034], including a configuration
+check [NAME-4036].
+
+Record if a name caching utility is being used like nscd or Unbound. Also logging
+to report as field name_cache_used
+
+* Firewalls
+-----------
+Test for IPFW firewall on FreeBSD has been improved: status of pflogd will no
+longer be displayed, when pf is not available.
+
+New test FIRE-4532 introduced for detection of the Mac OS X application firewall.
+Also, the status of application firewalls is audited now.
+
+FIRE-4508 is another new test, which tests chains of iptables and their default
+policy (ACCEPT or DROP). This release also supports the upcoming nftables
+technology with new test FIRE-4536. It is expected that it will replace iptables
+later on, so this test will perform a status check. Additional FIRE-4548 will
+perform a version detection of the userland utility nft and determine if there
+are any rules configured.
+
+Renamed FIRE-4511 to FIRE-4502.
+
+* File Integrity Monitoring
+---------------------------
+Test added to include osqueryd as a supported tool.
+
+* Hardware
+----------
+Detection of firewire is enhanced (both ohci and core detected).
+
+* Logging
+---------
+Extended the test syslog-ng logging to remote systems. The log Lynis itself
+produces is also enhanced, to be more detailed for several tests.
+
+* Malware
+---------
+ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners
+are also logged to the report.
+
+* Mount points
+--------------
+FILE-6374 is expanded to test for multiple common mount points and define best
+practice mount flags.
+
+* Networking
+------------
+Best practices for IPv6 configuration on Linux are now collected. Also network
+interface names from most operating systems.
+
+* Operating systems
+-------------------
+Improved support for Debian 8 systems, and displaying Gentoo for Gentoo-based
+systems. Detection of VMware release has been added. Boot loader exception is not
+longer displayed when only a subset of tests is performed. FreeBSD systems can
+now use service command to gather information about enabled services.
+
+Several paths have been added to allow better detection on systems running
+FreeBSD and others.
+
+* Passwords
+-----------
+AUTH-9286 change has been extended to both capture minimum and password age.
+
+* Proxy support
+---------------
+A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS
+proxy.
+
+* Service Managers
+------------------
+SystemV init is now detected.
+
+* Software and Packages
+-----------------------
+Now information will be logged when vulnerable software packages were found.
+Support for DNF (Dandified YUM) for Fedora systems has been added. This is done
+in several tests: PKGS-7350 (installed packages), PKGS-7352 (security notices),
+PKGS-7354 (integrity tests).
+
+* SSH
+-----
+Multiple configuration tests of SSH are now merged into SSH-7408. This enables
+easier testing later on and reduces repetition.
+
+* Virtual machines and Containers
+---------------------------------
+Detection of virtual machines has been extended in several ways. Now VMware tools
+(vmtoolsd) are detected and machine state is improved with tools like Puppet
+Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it
+before gave error as it found directory /usr/libexec/docker. Check file
+permissions for Docker files, like the socket file [CONT-8108].
+
+* Individual tests
+------------------
+[AUTH-9204] Exclude NIS entries to avoid false positives
+[AUTH-9230] Removed test as it was merged into AUTH-9228
+[AUTH-9234] Support for AIX added
+[AUTH-9288] Test for expired passwords
+[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also
+ includes improved logging, and support for other operating systems.
+[BOOT-5104] Rewrote test to detect SysV init and other service managers
+[BOOT-5106] New test to test boot loader on Mac OS X
+[BOOT-5180] Only gets executed if runlevel 2 is found
+[CONT-8108] New test to test for Docker file permissions
+[DBS-1816] Removed suggestion
+[FILE-6310] Add more details to test when a symlinked path has been found
+[FILE-6410] Added /var/lib/locatedb as search path
+[FINT-4338] Added osquery test
+[FIRE-4508] Added chains test for iptables
+[FIRE-4511] Renamed to FIRE-4502
+[FIRE-4536] Support for nftables detection
+[FIRE-4538] Basic configuration check for for nftables
+[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
+[HTTP-6622] Determine Apache version and log to report
+[HTTP-6624] Ignore wildcard and default entries as ServerName for Apache
+[LOGG-2154] Additional support for log destinations for syslog-ng
+[MALW-3278] New test to detect LMD (Linux Malware Detect)
+[NAME-4406] Changed logic for localhost check and more detailed logging
+[NETW-2600] IPv6 configuration check for Linux
+[NETW-3032] Added ARP monitoring software test
+[PKGS-7308] Split package name and version for RPM based package manager
+[PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM)
+[PKGS-7352] Query security notices for DNF
+[PKGS-7354] Perform integrity tests for package database (DNF)
+[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
+[STRG-1842] New test for checking authorized USB devices
+[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured
+[TIME-3170] New test to check NTP configuration files
+
+* Functions
+-----------
+[CreateTempFile] Create a temporary file
+[DigitsOnly] New function to extract only numbers from a text string
+[DisplayManual] New function to show text on screen without any markup
+[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
+[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
+[IsWordWritable] Changed return codes for easier usage of the function
+[LogText] Replaces the older logtext function
+[RandomString] Creates a random string of characters
+[RemoveTempFiles] Remove any created temporary files
+[Report] Replaces the older report function
+[ReportSuggestion] Allows two additional parameters to store details
+ (text and external reference to a solution)
+[ReportWarning] Like ReportSuggestion() has additional parameters
+[ShowComplianceFinding] Display compliance findings
+[ShowSymlinkPath] Ensure readlink is available
+
+* General improvements
+----------------------
+- When using pentest mode, it will continue without any delays (=quick mode).
+- Plugins execution is improved, with improved logged and counting of active
+ plugins.
+- Data uploads: provide help when self-signed certificates are used.
+- Improved output for tests which before showed results as a warning, instead of
+ just as a suggestion.
+- Lynis now uses different exit codes, depending on errors or finding warnings.
+ This helps with automation and any custom scripting you want to apply.
+- Preparations to allow compressing the Lynis report file and enhance uploads.
+- Added --config option to show what settings file or profile is used.
+- Tool tips are displayed, to make Lynis even easier to use.
+- Show a warning if the release is older than four months.
+- PID file has additional checks, including cleanups.
+
+
+* Plugins
+---------
+[PAM] New plugin available in all versions of Lynis
+[PLGN-2602] Replaced mktemp commands with CreateTempFile function
+[PLGN-2804] Limit report output of EXT file systems to 1 item per line
+
+--------------------------------------------------------------
+
+Lynis 2.1.1 (2015-07-22)
+
+This release adds a lot of improvements, with focus on performance, and
+additional support for common Linux distributions and external utilities.
+We recommend to use this latest version.
+
+* Operating system enhancements
+-------------------------------
+Support for systems like CentOS, openSUSE, Slackware is improved.
+
+* Performance
+-------------
+Performance tuning has been applied, to speed up execution of the audit on
+systems with many files. This also includes code cleanups.
+
+* Automatic updates
+-------------------
+Initial work on an automatic updater has been implemented. This way Lynis
+can be scheduled for automatic updating from a trusted source.
+
+* Internal functions
+--------------------
+Not all systems have readlink, or the -f option of readlink. The
+ShowSymlinkPath function has been extended with a Python based check, which
+is often available.
+
+* Software support
+------------------
+Apache module directory /usr/lib64/apache has been added, which is used on
+openSUSE.
+
+Support for Chef has been added.
+
+Added tests for CSF's lfd utility for integrity monitoring on directories and
+files. Related tests are FINT-4334 and FINT-4336.
+
+Added support for Chrony time daemon and timesync daemon. Additionally NTP
+sychronization status is checked when it is enabled.
+
+Improved single user mode protection on the rescue.service file.
+
+* Other
+-------
+Check for user permissions has been extended.
+Python binary is now detected, to help with symlink detection.
+Several new legal terms have been added, which are used for usage in banners.
+In several files old tests have been removed, to further clean up the code.
+
+* Bug fixes
+---------
+Nginx test showed error when access_log had multiple parameters.
+Tests using locate won't be performed if not present.
+Fix false positive match on Squid unsafe ports [SQD-3624].
+The hardening index is now also inserted into the report if it is not displayed
+on screen.
+
+* Functions
+---------
+Added AddSystemGroup function
+
+* New tests
+---------
+Several new tests have been added:
+* [PKGS-7366] Scan for debsecan utility on Debian systems
+* [PKGS-7410] Determine amount of installed kernel packages
+* [TIME-3106] Check synchronization status of NTP on systemd based systems
+* [CONT-8102] Docker daemon status and gather basic details
+* [CONT-8104] Check docker info for any Docker warnings
+* [CONT-8106] Check total, running and unused Docker containers
+
+* Plugins
+---------
+* [PLGN-2602] Disabled by default, as it may be too slow for some machines
+* [PLGN-3002] Extended with /sbin/nologin
+
+* Documentation
+---------------
+A new document has been created to help with the process of upgrading Lynis.
+It is available at https://cisofy.com/documentation/lynis/upgrading/
+
+--------------------------------------------------------------
+
+
+Lynis 2.1.0 (2015-04-16)
+
+* General
+---------
+Screen output has been improved to provide additional information.
+
+* OS support
+------------
+CUPS detection on Mac OS has been improved. AIX systems will now use csum
+utility to create host ID. Group check have been altered on AIX, to include
+the -n ALL. Core dump check on Linux is extended to check for actual values
+as well.
+
+* Software
+----------
+McAfee detection has been extended by detecting a running cma binary.
+Improved detection of pf firewall on BSD and Mac OS. Security patch checking
+with zypper extended.
+
+* Session timeout
+-----------------
+Tests to determine shell time out setting have been extended to account for
+AIX, HP-UX and other platforms. It will now determine also if variable is
+exported as a readonly variable. Related compliance section PCI DSS 8.1.8
+has been extended.
+
+* Documentation
+---------------
+- New document: Getting started with Lynis
+ https://cisofy.com/documentation/lynis/get-started/
+
+* Plugins (Enterprise)
+----------------------
+- Update to file integrity plugin
+ Changes to PLGN-2606 (capabilities check)
+
+New configuration plugins:
+* PLGN-4802 (SSH settings)
+* PLGN-4804 (login.defs)
+
+Download link: https://cisofy.com/download/lynis/
+
+--------------------------------------------------------------
+
+
+Lynis 2.0.0 (2015-02-25)
+
+
+The first release within the 2.x branch! It includes several new features, to
+simplify or improve auditing on Unix based systems, including BSD, Linux,
+Mac OS and more traditional systems like AIX, HPUX and Solaris.
+
+New features and many improvements are the reason for the bump to a major
+release, also a beginning of a new era. Many tools to audit or harden systems
+have being released, yet none have been maintained over a long period of time.
+
+Lynis Support and Feedback
+--------------------------
+This software is supported and under development by CISOfy. By providing a
+dual license, this software is kept up-to-date and enhanced. Both customers
+and the community, benefit from this licensing. This release is available
+thanks to your input and feedback.
+
+Lynis Helpers
+-------------
+New in this release is the support for helpers. Small utilities which enhance
+Lynis by providing a single goal. The first helper available is to audit
+Docker build files.
+
+Lynis Improved OS support
+-------------------------
+Many changes have been implemented to better support Linux, FreeBSD, NetBSD
+DragonBSD and OpenBSD in particular. Upcoming releases will include smaller
+"improvement rounds" for other systems as well.
+
+Lynis New technologies
+----------------------
+More utilities and technologies are supported now. Technologies and tools
+like systemd, Docker, nftables.
+
+Lynis Lynis Enterprise
+----------------------
+As this code is shared, customers have an additional option to define to
+what server they want to upload the audit results. Also, commercial plugins
+have been bundled.
+
+Lynis New parameters
+--------------------
+Several new options have been added:
+* --dump-options (see all options)
+* --report-file (define a different location for the report file)
+
+Lynis General
+-------------
+Documentation on the website has been extended: https://cisofy.com/support/
+The man page, Lynis binary and several tests have improved texts.
+
+This release is exceptional in that it includes many changes. We have done
+a lot of testing on different platforms. You could expect this software to be
+stable. Still, an assumption is no guarantee and especially no substitution
+for testing in your own environment. If you encounter issues, please report
+them via one of the links above in this changelog.
+
+
+Enjoy this new release!
+
+
+================================================================================
+
+Lynis 1.6.4 (2014-11-04)
+
+New:
+- Boot loader detection for AIX [BOOT-5102]
+- Detection of getcap and lsvg binary
+- Added filesystem_ext to report
+- Detect rootsh
+
+Changes:
+- Hide errors when RPM database is faulty and show suggestion instead [PKGS-7308]
+- Allow OpenBSD to gather information on listening network ports [NETW-3012]
+- Don't trigger warning for Shellshock when doing segfault test [SHLL-6290]
+- Do not run Apache test on OpenBSD and strip control chars [HTTP-6624]
+- Extended AIDE test with configuration validation test [FIND-4314]
+- Improved Shellshock test regarding non-Linux support [SHLL-6290]
+- Added support for gathering volume groups on AIX [FILE-6311]
+- Properly parse PAM lines and add them to report [AUTH-9264]
+- Support for boot loader detection on OpenBSD [BOOT-5159]
+- Added uptime detection for OpenBSD systems [BOOT-5202]
+- Support for volume groups on AIX [FILE-6312]
+- Redirect errors when searching for readlink binary
+
+---------------------------------------------------------------------------------
+
+Lynis 1.6.3 (2014-10-14)
+
+New:
+- Added tests for Shellshock bash vulnerability [SHLL-6290]
+- Added test to determine if Snoopy is used [ACCT-9636]
+- New test for qdaemon configuration file [PRNT-2416]
+- Test for GRUB boot loader password [BOOT-5122]
+- New test for qdaemon printer jobs [PRNT-2420]
+- Added ClamXav test for Mac OS X [MALW-3288]
+- Gentoo vulnerable packages test [PKGS-7393]
+- New test for qdaemon status [PRNT-2418]
+- Gentoo package listing [PKGS-7304]
+- Running Lynis without root permissions will start non-privileged scan
+- Systemd service and timer example file added
+- Added grub2-install to binaries
+
+Changes:
+- Adjustments so insecure SSL protocols are detected in nginx config [HTTP-6710]
+- Directories will be skipped when searching for nginx log files [HTTP-6720]
+- Only gather unique name servers from /etc/resolv.conf [NAME-2704]
+- Properly detect mod_evasive on Gentoo and others [HTTP-6640]
+- Improved swap partition detection in /etc/fstab [FILE-6336]
+- Improvements to kernel detection (e.g. Gentoo) [KRNL-5830]
+- Test for built-in security options in YUM [PKGS-7386]
+- Improved boot loader detection for GRUB2 [BOOT-5121]
+- Split GRUB test into two tests [BOOT-5122]
+- Added Mac OS uptime check [BOOT-5202]
+- Improved GetHostID function for systems having only ip binary
+- Improved testing for symlinked binary directories
+- Minor adjustments to log output
+- Renamed dev directory to extras
+
+---------------------------------------------------------------------------------
+
+Lynis 1.6.2 (2014-09-22)
+
+ New:
+ - IsVirtualMachine function to check if system is running in VM
+
+ VM types: Bochs CPU emulation, IBM z/VM, KVM, Linux Containers,
+ libvirt LXC driver (Linux Containers), Microsoft Virtual PC, OpenVZ,
+ Oracle VM VirtualBox, QEMU, Systemd Namespace container,
+ User-Mode Linux (UML), VMware products, XEN
+
+ - Detection for SaltStack configuration management tooling
+ - ShowSymlinkPath function to check path behind a symlink
+ - Check of configuration options of pacman [PKGS-7314]
+ - Support for drill binary to check for Lynis update
+ - FileIsEmpty function to check for empty files
+ - Detect updates for Arch Linux [PKGS-7312]
+ - Add detection for machine ID (systemd)
+ - Added linux_config_file to report
+ - Bash completion script for Lynis
+ - Added detection of ss binary
+
+ Changes:
+ - Extended system reboot check, to enable it for most Linux versions[KRNL-5830]
+ - Improved inetd test to avoid false positive with xinetd process [INSE-8002]
+ - Permissions check has been adjusted to allow packaging and pentest mode
+ - Added detection for compressed Linux config file [KRNL-5728]
+ - Added support for compressed Linux config file [KRNL-5730]
+ - Store PID file in home directory of the user, if needed
+ - Added usage of ss to gather listening ports [NETW-3012]
+ - Additional permission added to CUPS check [PRNT-2307]
+ - Extended telnet in inetd test [INSE-8016]
+ - Fix for reading at.deny file [SCHD-7720]
+ - Removed individual warnings [BOOT-5184]
+ - Several improvements for Arch Linux
+
+---------------------------------------------------------------------------------
+
+Lynis 1.6.1 (2014-09-09)
+
+ New:
+ - Added --pentest parameter to run a non-privileged scans (e.g. for pentesting)
+ - Show skipped tests in report if they require root and scan is non-privileged
+
+ Changes:
+ - Improved vulnerable packages test on Debian based systems (apt-check) [PKGS-7392]
+ - Don't show warnings for 'swap' in 4th column fstab file [FILE-6336]
+ - Remove warning for old files in /tmp [FILE-6354]
+ - CheckUpdates function will have better output when no connection is available
+ - Changes to parameters and functions, to allow penetration tests with Lynis
+ - Test for actual files in /etc/modprobe.d before grepping in it
+ - Improved chown command when file permissions are incorrect
+ - Changed output of update test, show when status is unknown
+ - No scanning of symlinked directories (binaries test)
+ - Extended SafePerms function to also check for UID
+ - Several tests will have root-only bit set now
+ - Improved netstat tests on Arch Linux
+
+---------------------------------------------------------------------------------
+
+Lynis 1.6.0 (2014-08-27)
+
+ New:
+ - Added several new plugins to default profile
+ - HostID detection for AIX
+
+ Changes:
+ - Improvements for log file
+ - GetHostID function improved
+ - Improved detection of security repository for Debian based systems [PKGS-7388]
+ - Set default values for update check, to avoid error message on screen
+ - Cleanup for mail section, adding IMAP and POP3 protocols
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.9 (2014-07-31)
+
+ New:
+ - New NetBSD test for vulnerable software packages [PKGS-7380]
+ - Test if Debian based systems need a reboot [KRNL-5830]
+ - Test for running Sendmail daemon [MAIL-8880]
+ - Test for availability of mtree [FINT-4330]
+ - Check for lp daemon (printing) [PRNT-2314]
+ - Added Qmail status detection [MAIL-8860]
+ - New NetBSD boot loader test [BOOT-5126]
+ - Added test for automation tools like Cfengine and Puppet [TOOL-5002]
+ - Added KRNL-5830 control to website
+ - Added detection for Puppet
+ - Added tooling category
+
+ Changes:
+ - Security repository test extended with /etc/apt/sources.list.d [PKGS-7388]
+ - Added exception case for CUPS configuration (listen statement) [PRNT-2308]
+ - Improved detection of TMOUT setting in shell profile file [SHLL-6220]
+ - Perform promiscuous interfaces test for NetBSD as well [NETW-3014]
+ - Perform swap partition parameters test on all systems [FILE-6336]
+ - Also check password file on DragonFlyBSD and NetBSD [AUTH-9208]
+ - Show message regarding toor user for all systems [AUTH-9204]
+ - Check for available interfaces on NetBSD as well [NETW-3004]
+ - Extended UFS file system test with FFS support [FILE-6329]
+ - Improvements for step-tickers file test [TIME-3160]
+ - Perform sockstat test for NetBSD [NETW-3012]
+ - Gather IP addresses for NetBSD [NETW-3008]
+ - Test MAC addresses on NetBSD [NETW-3006]
+ - Added /usr/X11R7/bin directory to search for binaries
+ - Improved full qualified domain name (FQDN) check for Linux
+ - Don't show follow-up hints when there are no warnings or suggestions
+ - Improved IsRunning function to better target processes
+ - Several smaller adjustments in text and descriptions
+ - Extended ReportException function with logging text
+ - Improved GetHostID function for NetBSD and Solaris
+ - Added printing_daemon and mail_daemon to report
+ - Binaries extended with tools like kstat, puppet
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.8 (2014-07-24)
+
+ New:
+ - Testing for commercial anti-virus solutions like McAfee and Sophos [MALW-3280]
+ - New control text for MALW-3280 - http://cisofy.com/controls/MALW-3280/
+
+ Changes:
+ - Extended GRUB test with encrypted password (SHA1) [BOOT-5121]
+ - Check /etc/profile for multiple umask values [AUTH-9328]
+ - Extended PHP disabled functions test [PHP-2320]
+ - Add gpgcheck parameter to YUM test [PKGS-7387]
+ - Squid configuration file permissions test adjusted and control added to website [SQD-3613]
+ - Logging has been extended and exceptional event text adjusted
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.7 (2014-07-09)
+
+ New:
+ - Implementation of SafePerms function
+ - Added notification when exceptions are found
+
+ Changes:
+ - Fix for error_log handling in nginx
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.6 (2014-06-12)
+
+ New:
+ - Test for PHP binary and PHP version
+ - Don't perform register_global test for systems running PHP 5.4.0 and later [PHP-2368]
+ - Debug function (can be activated via --debug or profile)
+
+ Changes:
+ - Extended IsRunning function
+ - Removed suggestion from secure shell test [SHLL-6202]
+ - Check for idle session handlers [SHLL-6220]
+ - Also check for apache2 binary (file instead of directory)
+ - New report values: session_timeout_enabled and session_timeout_method
+ - New report value for plugins: plugins_enabled
+ - Fixed test to determine active TCP sessions on Linux [NETW-3012]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.5 (2014-06-08)
+
+ New:
+ - Check for nginx access logging [HTTP-6712]
+ - Check for missing error logs in nginx [HTTP-6714]
+ - Check for debug mode in nginx [HTTP-6716]
+
+ Changes:
+ - Extended SSL test for nginx when using listen statements
+ - Allow debugging via profile (config:debug:yes)
+ - Check if discovered httpd file is actually a file
+ - Improved temporary file creation related to security notice
+ - Adjustments to screen output
+
+ Security Note:
+ This releases solves two issues regarding the usage of temporary
+ files (predictability of the file names). You are advised to upgrade
+ to this version as soon as possible. For more information see the
+ our blog post: http://linux-audit.com/lynis-security-notice-154-and-older/
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.4 (2014-06-04)
+
+ New:
+ - Check additional configuration files for nginx [HTTP-6706]
+ - Analysis of nginx settings [HTTP-6708]
+ - New test for SSL configuration of nginx [HTTP-6710]
+
+ Changes:
+ - Altered SMBD version check for Mac OS
+ - Small adjustments to report for readability
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.3 (2014-05-19)
+
+ New:
+ - Support for zypper package manager
+ - Gather installed packages with Zypper on SuSE systems [PKGS-728]
+ - Check for vulnerable packages with Zypper package manager [PKGS-7330]
+
+ Changes:
+ - Check for aide.conf also in /etc [FINT-4315]
+ - Adjusted screen output for unreliable NTP peers [TIME-3120]
+ - Adjusted check kernel test for non-Linux systems [KRNL-5730]
+ - Improved screen output on AIX systems with echo command
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.2 (2014-05-05)
+
+ New:
+ - Support for runlevel in binaries test
+
+ Changes:
+ - Added suggestion for kernel availability check [KRNL-5788]
+ - Added suggestion for services at startup and proper binary call [BOOT-5180]
+ - Added suggestion to configure accounting on FreeBSD [ACCT-2754]
+ - Added suggestion to configure Linux process accounting [ACCT-9622]
+ - Several new controls listed on website
+ - Adjusted hardening index if total score was zero
+ - Added suggestion for auditd.conf file [ACCT-9632]
+ - Removed suggestion for audit log file [ACCT-9634]
+ - Removed warning from NTP falsetickers test, added data to report [TIME-3132]
+ - Removed warning from NTP selected time source test [TIME-3124]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.1 (2014-04-22)
+
+ Changes:
+ - Extended reporting with running databases and frameworks
+ - Adjusted Oracle status in test [DBS-1840]
+ - Extended grsecurity test [RBAC-6272]
+ - Redirect rpcinfo errors to /dev/null
+ - Adjusted color scheme
+
+---------------------------------------------------------------------------------
+
+Lynis 1.5.0 (2014-04-10)
+
+ New:
+ - Support for Amazon Linux
+ - NTP check for step-tickers file (Red Hat and clones) [TIME-3160]
+
+ Changes:
+ - Minor textual changes in description of several controls
+ - Removed several warnings (usage of suggestions instead)
+ - Website has now more information for several controls
+ - Extended detection for Oracle Linux
+ - Updated the FAQ and README files
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.9 (2014-04-03)
+
+ New:
+ - Added links in report to related control documentation on website
+ - Detect Linux I/O kernel scheduler [KRNL-5730]
+
+ Changes:
+ - Check for non-unique accounts on several platforms [AUTH-9208]
+ - Set initial discover value for PAM modules to zero [AUTH-9268]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.8 (2014-03-27)
+
+ Changes:
+ - Adjusted resolv.conf domain setting in report [NAME-4016]
+ - Extend account test with /var/log/pacct [ACCT-9620]
+ - Added suggestion to DNS domain name test [NAME-4028]
+ - Changed text strings of ZFS test [FILE-6330]
+ - Extend LILO password test [BOOT-5139]
+ - Set default value for pf firewall
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.7 (2014-03-21)
+
+ New:
+ - New configuration item to set group name
+ - Search for AIDE configuration file (aide.conf) [FINT-4315]
+ - Check for usage of SHA256/SHA512 in AIDE configuration [FINT-4316]
+ - Added grep to list of binaries
+
+ Changes:
+ - Added suggestion when using NIS or NIS+ [NAME-4302]
+ - Clean-up of unneeded plugin section
+ - Small typo fix
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.6 (2014-03-14)
+
+ New:
+ - Check for GPG signing in yum.conf [PKGS-7387]
+ - Check CUPS configuration file permissions [PRNT-2307]
+
+ Changes:
+ - Screen cleanup
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.5 (2014-03-08)
+
+ New:
+ - Support for Chakra Linux
+ - Support for pacman binary (package manager)
+ - Query installed packages on systems with pacman [PKGS-7310]
+
+ Changes:
+ - Avoid logging to screen when falsetickets are found [TIME-3132]
+ - Skipping FIFO file on Solaris systems when checking for cron jobs [TIME-3104]
+ - Extended uptime test for Solaris systems [BOOT-5202]
+ - Added /usr/lib/security to PAM locations to scan
+ - Report cronjobs to report [SCHD-7704]
+ - HostID support for Solaris
+ - Improved color scheme
+ - Extended logging
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.4 (2014-03-03)
+
+ New:
+ - Detect tune2fs binary
+ - Added ExitFatal() function
+ - Added egrep binary to binaries
+ - Initial plugin support (phase 1)
+ - Added InsertPluginSection() function
+
+ Changes:
+ - Adjusted disabled functions tests to properly find functions [PHP-2320]
+ - Extended time test with egrep binary replace for Solaris [TIME-3104]
+ - Adjusted color for SNMP test when warning is found [SNMP-3306]
+ - Adjusted text for PHP risky functions [PHP-2320]
+ - Refer to discovered binaries for ifconfig, lsmod, tune2fs
+ - Test plugin directory when provided by --plugin-dir
+ - Scan report extended with plugin information
+ - Extended help for Enterprise options
+ - Improved IsRunning() function
+ - Extended color scheme
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.3 (2014-02-23)
+
+ New:
+ - Support for ClearOS
+ - Data upload for Lynis Enterprise users (--upload)
+ - Added debug variable for troubleshooting purposes
+ - Scan profile option license_key
+
+ Changes:
+ - Skip password check for Red Hat or clones [AUTH-9282]
+ - Extended single user login protection [AUTH-9308]
+ - Adjusted repolist check for yum based systems [PKGS-7383]
+ - Inserted sleep time when update is found
+ - Extended report output
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.2 (2014-02-19)
+
+ Changes:
+ - Ignore interfaces aliases for HostID
+ - Extended umask tests with pam_umask entries [AUTH-9328]
+ - Check for supressed version on Squid [SQD-3680]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.1 (2014-02-15)
+
+ New:
+ --plugin-dir parameter
+
+ Changes:
+ - Added 64 bits locations for Apache modules
+ - Add start of new category to logfile
+ - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626]
+ - Extended cron job tests with entries start with asterix (*) [SCHD-7704]
+ - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328]
+ - Adjusted PHP test for register_globals (explicit test) [PHP-2368]
+ - Small adjustments for upcoming plugin support
+ - Extended man page
+
+---------------------------------------------------------------------------------
+
+Lynis 1.4.0 (2014-01-29)
+
+ Changes:
+ - Removed some warnings, to prevent double messages
+ - Extended accounting check for Linux [ACCT-9622]
+ - Added consistency check to time test [TIME-3124]
+ - Added support for anacron jobs [SCHD-7704]
+ - Rewrite of YUM repository test [PKGS-7383]
+ - Use binary variables for hostid creation
+ - AIX version detection changed
+ - Added rpcinfo to binaries check
+ - Ignore LANG global setting
+ - Improved logging
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.9 (2014-01-09)
+
+ Changes:
+ - Additional support for Mac OS
+ - Support for shasum binary
+ - Performance adjustment for lsof tests
+ - Extended interface check for hostid creation
+ - Improved NSCD detection [NAME-4032]
+ - Bug fix for passwdqc [AUTH-9262]
+ - Extended vulnerable packages test [PKGS-7392]
+ - Hide possible sysctl errors [KRNL-5820]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.8 (2013-12-25)
+
+ New:
+ - New parameter --view-categories to display available test categories
+ - Added /etc/hosts check (duplicates) [NAME-4402]
+ - Added /etc/hosts check (hostname) [NAME-4404]
+ - Added /etc/hosts check (localhost mapping) [NAME-4406]
+ - Portmaster test for possible port upgrades [PKGS-7378]
+ - Check for SPARC improve boot loader (SILO) [BOOT-5142]
+ - NFS client access test [STRG-1930]
+ - Check system uptime [BOOT-5202]
+ - YUM repolist check [PKGS-7383]
+ - Contributors file added
+
+ Changes:
+ - Improved locate database check and reporting [FILE-6410]
+ - Improved PAE/No eXecute test for Linux kernel [KRNL-5677]
+ - Disabled NIS domain name from test [NAME-4028]
+ - Extended NIS domain test to check BSD sysctl value [NAME-4306]
+ - Extended PAM tools check with PAM paths [AUTH-9262]
+ - Adjusted Apache check to avoid skipping it [HTTP-6622]
+ - Extended USB state testing [STRG-1840]
+ - Extended Firewire state testing [STRG-1846]
+ - Extended core dump test [KRNL-5820]
+ - Added /lib/i386-linux-gnu/security to PAM directories
+ - Added /usr/X11R6/bin directory to binary paths
+ - Improved readability of screen output
+ - Improved logging for several tests
+ - Improved Debian version detection
+ - Added warning to BIND test [NAME-4206]
+ - Extended binaries with showmount and yum
+ - Updated man page
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.7 (2013-12-10)
+
+ New:
+ - Function FileExists() and SearchItem()
+
+ Changes:
+ - Adjusted yum-security check [PKGS-7386]
+ - Improved check for iptables binary check
+ - Extended report with the tests executed and skipped
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.6 (2013-12-03)
+
+ New:
+ - Support for the dntpd time daemon
+ - New Apache test for modules [HTTP-6632]
+ - Apache test for mod_evasive [HTTP-6640]
+ - Apache test for mod_qos [HTTP-6641]
+ - Apache test for mod_spamhaus [HTTP-6642]
+ - Apache test for ModSecurity [HTTP-6643]
+ - Check for installed package audit tool [PKGS-7398]
+ - Added initial support for new pkgng and related tools [PKGS-7381]
+ - Check for ssh-keyscan binary
+ - ZFS support for FreeBSD [FILE-6330]
+ - Test for passwordless accounts [AUTH-9283]
+ - Initial OS support for DragonFly BSD
+ - Initial OS support for TrueOS (FreeBSD based)
+ - Initial OS support for elementary OS (Luna)
+ - GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD
+ - Check for DHCP client [NETW-3030]
+ - Initial support for OSSEC (system integrity) [FINT-4328]
+ - New parameter --log-file to adjust log file location
+ - New function IsRunning() to check status of processes
+ - New function RealFilename() to determine file name
+ - New function CheckItem() for parsing files
+ - New function ReportManual() and ReportException() to simplify code
+ - New function DirectoryExists() to check existence of a directory
+ - Support for dntpd [TIME-3104]
+
+ Changes:
+ - Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518]
+ - Extended test to gather listening network ports for Linux [NETW-3012]
+ - Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190]
+ - Added suggestion for discovered shells on FreeBSD [AUTH-9218]
+ - Extended core dump test with additional details [KRNL-5820]
+ - Properly display suggestion if portaudit is not installed [PKGS-7382]
+ - Ignore message if no packages are installed (pkg_info) [PKGS-7320]
+ - Also try using apt-check on Debian systems [PKGS-7392]
+ - Adjusted logging for RPM binary on systems not using it [PKGS-7308]
+ - Extended search in cron directories for rdate/ntpdate [TIME-3104]
+ - Adjusted PHP check to find ini files [PHP-2211]
+ - Skip Apache test for NetBSD [HTTP-6622]
+ - Skip test http version check for NetBSD [HTTP-6624]
+ - Additional check to supress sort error [HTTP-6626]
+ - Improved the way binaries are checked (less disk reads)
+ - Adjusted ReportWarning() function to skip impact rating
+ - Improved report on screen by leaving out date/time and type
+ - Redirect errors while checking for OpenSSL version
+ - Extended reporting with firewall status and software
+ - Adjusted naming of some operating systems to make them more consistent
+ - Extended update check by using host binary if dig is not installed
+ - Count number of installed binaries/packages and report them
+ - Report about log rotation tool and status
+ - Updated man page
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.5 (2013-11-19)
+
+ New:
+ - OS detection for Mageia Linux, PCLinuxOS, Sabayon Linux and Scientific Linux
+ - Added some initial systemd support (e.g. boot services)
+ - Test to display if any known MAC framework is implemented [MACF-6290]
+
+ Changes:
+ - Improved support for Slackware Linux (OS and version detection)
+ - Added systemd support (boot and running services) for Linux systems [BOOT-5177]
+ - Added systemd support (default runlevel) for Linux systems [KRNL-5622]
+ - Extended USB storage check in modprobe.d directory [STRG-1840]
+ - Improved output, reporting and check for kernel update [KRNL-5788]
+ - Optimized code and output of test to check writable scripts [BOOT-5184]
+ - Fixed detection for writable scripts [BOOT-5184]
+ - Improved detection IPv6 addresses for Slackware and others [NETW-3008]
+ - Minor addition to SSH PermitRootLogin check [SSH-7412]
+ - Extended cronjob tests, reporting and logging [SCHD-7704]
+ - Extended umask check in /etc/profile [AUTH-9328]
+ - Added suggestion about BIND version [NAME-4210]
+ - Merged test NTP daemon test TIME-3108 into TIME-3104
+ - Improved support for Arch Linux (output, detection)
+ - Extended common list of directories with SSL certifcates in profile
+ - New function GetHostID() to determine an unique identifier of the machine
+ - Added a tests_custom file template
+ - Perform file permissions test on tests_custom file
+ - Improved OS detection and extended logging on several tests
+ - Several layout improvements
+ - Extended update check functions and output
+ - Cleaned up reporting and extended it with exceptions
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.4 (2013-11-08)
+
+ New:
+ - OS detection support for Arch Linux
+ - Support for systemd journal
+
+ Changes:
+ - Test for files in /etc/modprobe.d directory [STRG-1840]
+ - Extended log daemon detection with systemd journal [LOGG-2130]
+ - Adjusted hardening value for compiler GCC [HRDN-7222]
+ - Extended IsWorldWritable and IsWorldExecutable functions to support symlinks
+ - Adjusted PHP test for disabled functions [PHP-2320]
+ - Extended testing for PHP files in other directories [PHP-2211]
+ - Improved screen output for several tests and extended logging
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.3 (2013-10-24)
+
+ New:
+ - Added NTP configuration type to report [TIME-3104]
+
+ Changes:
+ - Do not warn on empty shells for FreeBSD systems [AUTH-9218]
+ - Extended checks for presence NTP client or daemon [TIME-3104]
+ - Extended logging
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.2 (2013-10-09)
+
+ New:
+ - Test for PowerDNS authoritive servers (master/slave status) [NAME-4238]
+
+ Changes:
+ - CUPS test extended with hardening rules [PRNT-2308]
+ - Added hardening points to sticky bit on /tmp [FILE-6362]
+ - Extended Ubuntu security packages check [PKGS-7392]
+ - Improved update check, show when no check is performed
+ - Added additional check for binaries, so checks on CentOS work correctly
+ - Added word 'restricted' to banner strings
+ - Adjusted wording for Debian packages purge [PKGS-7346]
+ - Corrected listing of purgable packages [PKGS-7346]
+ - Adjusted yum-plugin-security check due to package changes [PKGS-7386]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.1 (2013-10-02)
+
+ Changes:
+ - Updated generic references in files
+ - Fixed detection of several binaries (AFICK/awk)
+ - Performance tweaks when checking for binaries
+ - Fixed core dump check and dumpable sysctl [KRNL-5820]
+ - Force test to always to check for binaries [FILE-7502]
+ - Changed detection to egrep [DBS-1840]
+ - Adjusted variable checking for Solaris [HOME-9310]
+ - Adjusted search in modprobe directory [STRG-1840] [STRG-1846]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.3.0 (2011-12-25)
+
+ New:
+ - Profile option: ignore_home_dir
+ - TCP wrappers category added
+ - Tooling category added
+ - Initial extensions to support plugins in the future
+ - Test for unpurged Debian packages [PKGS-7346]
+ - Test for compiler permissions [HRDN-7222]
+
+ Changes:
+ - Converted all dates to ISO format and updated copyright lines
+ - Correct suggestion for file integrity tool [FINT-4350]
+ - Added hint when RPM list is empty on DPKG based systems [PKGS-7308]
+ - Changed logging for /etc/security/limits.conf file [KRNL-5820]
+ - Fixed incorrect warning for single user mode [AUTH-9308]
+ - Improved output for stratum 16 time servers [TIME-3116]
+ - Added suggestion and screen output for kernel hardening [KRNL-6000]
+ - Screen layout optimalizations and log file improvements
+ - Improved list/layout of scan options
+ - Improved binary check for compilers
+ - Added configuration option in scan profile (show_tool_tips, default true)
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.9 (2009-12-15)
+
+ New:
+ - Support for Squid3
+ - Added Squid unsafe ports check [SQD-3624]
+ - Added Squid configuration file permission check [SQD-3613]
+ - Added Squid test: reply_body_max_size option [SQD-3630]
+ - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328]
+ - Check PHP option allow_url_include [PHP-2378]
+
+ Changes:
+ - Extended possible Squid configuration file locations
+ - Added additional sysctl keys to default profile
+ - Fixed typo in squid.conf checks
+ - Improved descriptions, logging and reporting for several tests
+ - Corrected /etc/security/limits.conf path in test [KRNL-5820]
+ - Updated man page, limited lines to 80 chars
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.8 (2009-12-08)
+
+ New:
+ - Squid support added
+ - Squid daemon detection [SQD-3602]
+ - Squid configuration file search [SQD-3604]
+ - Squid version detection [SQD-3606]
+ - Check /etc/motd banner [BANN-7122]
+ - Check /etc/issue.net file [BANN-7128]
+ - Check contents in /etc/issue.net [BANN-7130]
+ - Solaris single user mode login check (/etc/default/sulogin) [AUTH-9304]
+ - HP-UX boot authentication check [AUTH-9306]
+ - Linux single user mode authentication check [AUTH-9308]
+ - Solaris account locking policy check [AUTH-9340]
+
+ Changes:
+ - Added prerequisite to SSH test, so the test is skipped properly [SSH-7440]
+ - Check for /etc/issue symlink [BANN-7124]
+ - Added file check for possible harmful shells found [AUTH-9218]
+ - Add user home directories to report [HOME-9302]
+ - Extended Linux run level test with support for Debian/Ubuntu [KRNL-5622]
+ - Added /lib64/security to PAM test [AUTH-9262]
+ - Extended security repository check [PKGS-7388]
+ - Iptables check should not check for a module in a Linux config [FIRE-4511]
+ - Ignore APC ups daemon when scanning for CUPS [PRNT-2304]
+ - Improved kernel logger daemon check [LOGG-2138]
+ - Added auditctl to binary check [ACCT-9630]
+ - Log used auditd ruleset [ACCT-9630]
+ - Corrected logging of Solaris c2audit module [ACCT-9656]
+ - Fixed warning function for Solaris passwordless accounts [AUTH-9254]
+ - Commented kern.randompid in default profile
+ - For sysctl the parameter -n will be used on Linux systems
+ - Changed syslog daemon detection and state
+ - Extended report file
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.7 (2009-11-01)
+
+ New:
+ - Added Kernel Hardening section
+ - Sysctl audit support in scan profile and related test [KRNL-6000]
+ - SSH option StrictModes test [SSH-7416]
+ - Password aging limit check [AUTH-9286]
+ - Ubuntu packages check (apt-show-versions) [PKGS-7394]
+ - Check for metalog daemon [LOGG-2210]
+ - USB storage driver state check [STRG-1840]
+ - Firewire storage driver state check [STRG-1846]
+ - PostgreSQL process check [DBS-1826]
+ - Oracle process check [DBS-1840]
+ - Default umask check [AUTH-9328]
+ - Check for rsyslog daemon [LOGG-2230]
+ - RFC 3195 compliant daemon check [LOGG-2240]
+ - Qmail SMTP daemon check [MAIL-8940]
+ - Test for separation of /tmp and /home from root file system [FILE-6310]
+ - SSH AllowUsers and AllowGroups usage check [SSH-7440]
+ - AIX support, thanks to Michael Smerdka
+
+ Changes:
+ - Fixed crontabs path [SCHD-7704]
+ - Extended locate database paths for Linux and FreeBSD [FILE-6410]
+ - pflog detection fix [FIRE-4518]
+ - Skip /proc/meminfo for non Linux systems [PROC-3602]
+ - Extended text with rsyslogd [LOGG-2130]
+ - Ignore comment and empty lines for group tests [AUTH-9222/9226]
+ - Show firewall as active when iptables is available in config file [FIRE-4511]
+ - Variable fix for SNMP daemon configuration file [SNMP-3304]
+ - Freshclam check fix [MALW-3286]
+ - Fixed waiting search for NIS domain [NAME-4306]
+ - Check for a maximum of 1 search statement in /etc/resolv.conf [NAME-4018]
+ - Apache test improved [HTTP-6622]
+ - Skip klogd test if rsyslogd is available [LOGG-2138]
+ - Added additional CUPS location to search paths
+ - Only execute PAM test for systems with PAM [AUTH-9268]
+ - Fixed logging of sudoers file location [AUTH-9250]
+ - Improved FreeBSD support for NTP client check [TIME-3104]
+ - Redirect warning "Unknown host" when DNS domain name is empty [NAME-4028]
+ - Redirect warning when host name is empty
+ - Fixed warning color [AUTH-9226]
+ - Fixed FreeBSD COPYRIGHT file test [BANN-7113]
+ - Changed text for sudoers text [AUTH-9250]
+ - Improved text for DNS search domain [NAME-4016]
+ - Skip nginx configuration test if nginx is not available [HTTP-6704]
+ - Removed portsclean suggestion [PKGS-7348]
+ - Fixed non unique IDs
+ - Fixed cosmetic issue when using Debian with default dash shell
+ - Improved hostname detection for HP-UX
+ - Added additional php.ini file locations
+ - Moved Linux default shell check to OS detection functions
+ - Fixed CUPS daemon test [PRNT-2304]
+ - Also check for uppercase chars in issue file [BANN-7126]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.6 (2009-04-05)
+
+ New:
+ - Sudoers file permissions check [AUTH-9252]
+ - Core dumps configuration check for Linux [KRNL-5820]
+ - PHP disabled functions check [PHP-2320]
+ - PHP enable_dl function check [PHP-2374]
+ - PHP allow_url_fopen function check [PHP-2376]
+ - OpenBSD smtpd status check [MAIL-8920]
+ - /etc/issue check [BANN-7124]
+ - /etc/issue legal keywords check [BANN-7126]
+ - Show suggestions in report
+
+ Changes:
+ - Extended support for Red Hat, CentOS and Fedora
+ - Extended ACL test to test for default mount options as well [FILE-6368]
+ - Exim status test fixed [MAIL-8812]
+ - Corrected yum security check [PKGS-7386]
+ - Replaced LDAP test AUTH-9238 with [AUTH-9402]
+ - Removed backquotes when locate database is not available [FILE-6410]
+ - Added /etc/openldap to search path for OpenLDAP
+ - Fixed typo in crontab path [SCHD-7704]
+ - Don't show message "No volume groups found" if LVM isn't used [FILE-6310]
+ - Corrected Syslog-NG status [LOGG-2132]
+ - Moved TODO to dev directory
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.5 (2009-03-27)
+
+ New:
+ - slapd.conf check [LDAP-2224]
+ - atd status test [SCHD-7718]
+ - Check LDAP module in PAM [AUTH-9278]
+ - Check Dovecot status check [MAIL-8838]
+ - Check log directories from newsyslog.conf [LOGG-2162]
+ - Check log directories from static list [LOGG-2170]
+ - Check log directories from logrotate configuration [LOGG-2150]
+ - syslog check for remote logging [LOGG-2154]
+ - Open log files check [LOGG-2180]
+ - Deleted file check [LOGG-2190]
+ - Solaris active kernel modules check [KRNL-5770]
+ - Solaris audit daemon status check [ACCT-9650]
+ - Solaris audit daemon service status [ACCT-9652]
+ - Solaris audit daemon BSM check [ACCT-9654]
+ - Solaris audit logging location check [ACCT-9662]
+ - Solaris audit statistics check [ACCT-9672]
+ - Check for installed compiler [HRDN-7202]
+ - BIND process check [NAME-4202]
+ - BIND configuration file check [NAME-4204]
+ - BIND configuration consistency check [NAME-4206]
+ - BIND version check via DNS [NAME-4210]
+ - Default domain check (/etc/resolv.conf) [NAME-4016]
+ - Search domains in /etc/resolv.conf check [NAME-4018]
+ - Parse /etc/resolv.conf options [NAME-4020]
+ - Solaris /etc/nodename check [NAME-4026]
+ - DNS domain checks [NAME-4028]
+ - NSCD status check [NAME-4032]
+ - PowerDNS presence check [NAME-4230]
+ - PowerDNS configuration file check [NAME-4232]
+ - PowerDNS backend check [NAME-4236]
+ - ypbind status check [NAME-4302]
+ - Log specific defined SSH daemon options [SSH-7408]
+ - SSH protocol version check [SSH-7414]
+ - NIS domain checks [NAME-4304]
+ - Check pending at jobs [SCHD-7724]
+ - LVM volume group scan [FILE-6310]
+ - LVM volumes check [FILE-6312]
+ - Locate database check [FILE-6410]
+ - nginx configuration file check [HTTP-6704]
+ - Exim status check [MAIL-8802]
+ - Postfix status check [MAIL-8814]
+
+ Changes:
+ - atd needs to run before testing at files [SCHD-7720]
+ - Removed Solaris OS requirement from logrotate test [LOGG-2148]
+ - Sanitized output from logrotate test [LOGG-2148]
+ - Skip comment fields in loghost check [LOGG-2152]
+ - Changed auditd tests to Linux only
+ - Binary scan optimized and partially combined with other check
+ - Only perform iptables tests if kernel module is active
+ - Don't show message when /etc/shells can't be found [SHLL-6211]
+ - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
+ - Renumbered FreeBSD test SHLL-7225 [SHLL-6202]
+ - Renumbered malware test MALW-3292 [HRDN-7230]
+ - Improved grep on process status [PRNT-2304]
+ - Ignore comment lines for nginx log file check [HTTP-6720]
+ - Added file check for nginx log files [HTTP-6720]
+ - Display IP addresses only of NTP tests [TIME-3124]
+ - Fixed Postfix configuration directory path [MAIL-8816]
+ - Redirected output of yum package duplicate check [PKGS-7384]
+ - Ignore comment lines for lilo test [BOOT-5139]
+ - Fixed incorrect iptables status and correct logging [FIRE-4511]
+ - Check SNMP configuration only if SNMP daemon runs [SNMP-3304]
+ - Don't scan PAM directories which are symlinks [AUTH-9268]
+ - Changed hardening category to hardening_tools
+ - Adjusted hardening points of several tests
+ - Log and display improvements for several tests
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.4 (2009-03-17)
+
+ New:
+ - NTP daemon process test [TIME-3108]
+ - NTP association ID's check from peer list [TIME-3112]
+ - NTP time source candidates test [TIME-3128]
+ - NTP falseticker check [TIME-3132]
+ - NTP protocol version check [TIME-3136]
+ - Stratum 16 ntp peers check [TIME-3116]
+ - Unreliable ntp peers check [TIME-3120]
+ - Preferred NTP time source test [TIME-3124]
+ - auditd presence check [ACCT-9628]
+ - auditd rules check [ACCT-9630]
+ - auditd configuration file check [ACCT-9632]
+ - auditd log file location check [ACCT-9634]
+ - cupsd status check [PRNT-2304]
+ - cupsd configuration file check [PRNT-2306]
+ - cupsd address configuration test [PRNT-2308]
+ - pam.conf configuration check [AUTH-9264]
+ - pam.d configuration file scan [AUTH-9266]
+ - PAM modules check [AUTH-9268]
+ - rpcinfo query [STRG-1902]
+ - NFS version number check [STRG-1904]
+ - NFS protocol and port number check [STRG-1906]
+ - NFS status check [STRG-1920]
+ - NFS exports check [STRG-1926]
+ - NFS empty /etc/exports [STRG-1928]
+ - SSH PermitRootLogin option check [SSH-7412]
+ - at.allow and at.deny check [SCHD-7720]
+ - File integrity tool check [FINT-4350]
+ - nginx process check [HTTP-6702]
+ - nginx log file test [HTTP-6720]
+ - ClamAV clamscan presence test [MALW-3282]
+ - ClamAV daemon check [MALW-3284]
+ - ClamAV freshclam check [MALW-3286]
+ - Check for presence malware scanner [MALW-3292]
+ - clamscan, ntpq binary check
+ - NTP daemon role and profile option
+ - Parameter --tests-category, to scan one or more categories
+ - Category added (Storage: NFS)
+ - Added hardening points to tests
+ - Display hardening index to report
+
+ Changes:
+ - Extended logrotate test [LOGG-2148]
+ - Added check for inetd.conf before performing test [INSE-8016]
+ - Added /var/spool/crontabs to search path [TIME-3104]
+ - Added log line to sysstat test [ACCT-9626]
+ - Improved screen output on Solaris
+ - Checking for both rdate and ntpdate in cron files [TIME-3104]
+ - Changed yum-security package check [PKGS-7386]
+ - Change output if dig isn't available [NETW-2705]
+ - Added IPv6 support and output adjustment [NETW-2704]
+ - Cosmetic change for host based firewall check [FIRE-4590]
+ - Corrected output in log file [PKGS-7388]
+ - Corrected passwd options for Red Hat [AUTH-9282]
+ - Changed text if everything is ok (no warnings)
+ - Log improvements
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.3 (2009-03-02)
+
+ New:
+ - Added syslog-NG daemon check [LOGG-2132]
+ - Added klogd status test [LOGG-2138]
+ - Added check to determine minilogd presence [LOGG-2142]
+ - Added logrotate configuration test [LOGG-2146]
+ - Added check for loghost entry on Solaris machines [LOGG-2152]
+ - Added ipf test for Solaris [FIRE-4526]
+ - Added uname -n test (Solaris) [NAME-4024]
+ - Added ssh daemon configuration file check [SSH-7404]
+ - Added BSD newsyslog.conf file check [LOGG-2160]
+ - Added inetd status check [INSE-8002]
+ - Added inetd.conf configuration check [INSE-8004]
+ - Added check for inetd.conf when inetd is not active [INSE-8006]
+ - Added telnet check via inetd [INSE-8016]
+ - Added ACL check on root file system [FILE-6368]
+ - Added check for firewall/packet filter on system [FIRE-4590]
+ - Added lograte file check [LOGG-2148]
+ - Added snmp daemon status test [SNMP-3302]
+ - Added snmp configuration file test [SNMP-3304]
+ - Added default snmp community strings test [SNMP-3306]
+ - Added categories: Insecure services and SNMP
+ - Added binary searches for awk, ipf
+
+ Changes:
+ - Changed profile name in default profile
+ - Added path /usr/ucb to binary paths
+ - Changed color to white if slapd is not running [LDAP-2219]
+ - Changed test PKG-7345 into PKGS-7345
+ - Changed logging for several tests [PKGS-7302] [NETW-3004]
+ - Extended FAQ
+ - Changed default profile header
+
+ Fixes:
+ - Hostname detection under Solaris
+ - Disabled tests PROC-3612 PROC3614 for Solaris machines
+ - Disabled NTP check in cron.d directory on Solaris [TIME-3104]
+ - Added result at line when querying system users [AUTH-9234]
+ - Counters (N+1) fixed for some shells, like Solaris
+ - Removed unneeded line for Solaris test [PROC-3604]
+ - Disabled grsecurity test for Solaris [RBAC-6272]
+ - Correct display of files with spaces [FILE-6354]
+ - Changed several tests so they work correctly with Solaris
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.2 (2009-02-15)
+
+ New:
+ - Support for MySQL client
+ - New test: Test for empty MySQL root password [DBS-1816]
+ - New test: SSH daemon status test [SSH-7402]
+ - New test: sysstat account information [ACCT-9626]
+ - New test: connections in WAIT state [NETW-3028]
+ - Lynis displays a warning now, if current version is really outdated
+ - New parameter option (log_tests_incorrect_os) to minimize logging
+
+ Changes:
+ - Several adjustments to default profile
+ - Fixed option 'skip_test_always' to let it function properly
+ - Fixed passwd check for SuSE systems [AUTH-9282]
+ - Added error redirect for dpkg test [PKG-7345]
+ - Improved NTP test and messages, excluded check when using xen [TIME-3104]
+ - Extended DNS nameserver check with local resolver [NETW-2704]
+ - Skip double nameserver check when a local resolver is found [NETW-2705]
+ - Renamed tests_nameserver to tests_nameservices
+ - Improved log output [AUTH-9218]
+
+ Notes:
+ - Custom profiles should be compared to the default profile, due small changes
+ in the structure.
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.1 (2008-09-05)
+
+ New:
+ - Added support for Samba
+ - Added support for SELinux framework
+ - New test: SELinux presence test [MACF-6232]
+ - New test: SELinux status checks [MACF-6234]
+ - New test: password PAM availability check [AUTH-9262]
+ - New test: expire date check for accounts [AUTH-9282]
+ - Added new option --tests, to run a small set of tests only
+
+ Changes:
+ - Report and logging messages improved
+ - Output reduced when using --tests
+ - Added suggestion to PHP expose_php option [PHP-2372]
+ - Improved log message for PHP register_globals option [PHP-2368]
+ - Added virtual host count to log file [HTTP-6626]
+ - Improved Red Hat and clones detection and display
+ - Fix: Improved promiscuous detection for Linux [NETW-3015]
+ - Fix: AUTH-9204 test triggered on group ids as well
+ - Fix: Only display unique MAC addresses [NETW-3006]
+ - Extended Postfix test [MAIL-8818]
+ - Don't show /proc/meminfo if not present [PROC-3602]
+ - Don't show YABOOT information if not present [BOOT-5155]
+ - Improved portaudit test (FreeBSD) [PKGS-7382]
+ - Improved portsclean test (FreeBSD) [PKGS-7348]
+ - Added --quiet and --tests options to help and man page
+
+---------------------------------------------------------------------------------
+
+Lynis 1.2.0 (2008-08-26)
+
+ New:
+ - New test: Passwordless Solaris accounts test [AUTH-9254]
+ - New test: AFICK file integrity [FINT-4310]
+ - New test: AIDE file integrity [FINT-4314]
+ - New test: Osiris file integrity [FINT-4318]
+ - New test: Samhain file integrity [FINT-4322]
+ - New test: Tripwire file integrity [FINT-4326]
+ - New tests: NIS and NIS+ authentication test [AUTH-9240/42]
+ - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire
+
+ Changes:
+ - Changed text of grsecurity test [RBAC-6272]
+ - Optimized FreeBSD boot services test [BOOT-5165]
+ - Optimized UID 0 test [AUTH-9204]
+ - Extended login shells test [AUTH-9218]
+ - PID file message extended and small output improvement
+ - A log entry will be written when PID files are removed
+ - Added operating system name to log file when a test is skipped
+ - Added file available check when using --view-manpage
+ - Most program variables are initialized now for future additions
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.9 (2008-08-09)
+
+ New:
+ - New test: AppArmor framework check [MACF-6204]
+ - New test: FreeBSD boot loader test [BOOT-5124]
+ - New test: PHP option register_globals [PHP-2368]
+ - New test: Promiscuous network interfaces (Linux) [NETW-3015]
+ - Report option 'bootloader' added to several tests
+ - Added readlink binary check
+
+ Changes:
+ - Extended file check (IsWorldWritable) for symlinks
+ - Show result if no default gateway is found [NETW-3001]
+ - Added /usr/local/etc to sudoers test [AUTH-9250]
+ - Improved FreeBSD banner output [BANN-7113]
+ - Removed incorrect line at promiscuous interface test [NETW-3014]
+ - Fix: Show only once the GRUB test output [BOOT-5121]
+ - Fix: Typo in NTP test [TIME-3104]
+ - Fix: Skip NTP test in /etc/cron.d if empty [TIME-3104]
+ - Fix: Initialize values when performing an update check without connection
+ - Fix: Solaris id function has been fixed
+ - Disabled FreeBSD double packages tests, due minor issues [PKGS-7303]
+ - Changed LDAP/MySQL running states [LDAP-2219] [DBS-1804]
+ - Replaced ifconfig calls with IFCONFIGBINARY
+ - Renamed tests_auditing to tests_mac_frameworks
+ - Several tests improved with extended logging
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.8 (2008-07-16)
+
+ New:
+ - Mac OS X support extended and new options added
+
+ Changes:
+ - Extended default profile
+ - Improved several screen output lines
+ - User ID check improved, so it works better with older Solaris versions
+ - Hostname in output and reports will contain only host now, not FQDN
+ - Added extra php.ini locations to tests_php
+ - Replaced 'ps' in tests with PSBINARY value for better support
+ - Added output to zones test [VIRT-1902]
+ - Updated description [AUTH-9218]
+ - Extended ntp daemon/ntpdate check [TIME-3104]
+ - Added suggestion to bootable scripts check [BOOT_5184]
+ - Bugfix and improvement for FreeBSD portsclean test [PKGS-7348]
+ - Added Mac OS support to MAC address gathering test [NETW-3006]
+ - Added MAC OS support to inet and inet6 addresses test [NETW-3008]
+ - Extended PHP expose_php test to support additional options [PHP-2372]
+ - Improved LDAP test so it skips correctly on Mac OS AUTH-9238]
+ - Bugfix: MySQL status check gave incorrect output [DBS-1804]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.7 (2008-06-28)
+
+ New:
+ - New test: check for unused iptables rules [FIRE-4513]
+ - New test: checking for dead and zombie processes [PROC-3612]
+ - New test: checking for heavy IO waiting processes [PROC-3614]
+ - Initial HP-UX support (untested)
+ - Initial AIX support (untested)
+ - Added iptables binary check
+ - Added dig check, for DNS related tests
+ - Added option --no-colors to remove all colors from screen output
+ - Added option --reverse-colors for optimizing output at light backgrounds
+ (Konsole, MacOS terminal etc)
+
+ Changes:
+ - Improved grpck test for SuSE [AUTH-9216]
+ - Added dig availability check to DNS test [NETW-2704]
+ - Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512]
+ - Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384]
+ - Bugfix: Fixed prerequisites for grpck test [AUTH-9216]
+ - Improved MySQL check [DBS-1804]
+ - Changed color at chkconfig boot services test [BOOT-5177]
+ - Added missing prerequisites output to portaudit test [PKGS-7382]
+ - Test output for FreeBSD mounts (UFS) improved [FILE-6329]
+ - Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219]
+ - Several tests have their warning reporting improved
+ - Improved SuSE Linux detection
+ - Improved syslog-ng detection
+ - Adjusted README with link to online (extended) documentation
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.6 (2008-06-19)
+
+ New:
+ - New test: Check writable startup scripts [BOOT-5184]
+ - New test: Syslog-NG consistency check [LOGG-2134]
+ - New test: Check yum-utils package and scanning package database [PKGS-7384]
+ - New test: Test for empty ruleset when iptables is loaded [FIRE-4512]
+ - New test: Check for expired SSL certificates [CRYP-7902]
+ - New test: Check for LDAP authentication support [AUTH-9238]
+ - New test: Read available crontab/cron files [SCHD-7704]
+ - New test: Query Solaris running zones [VIRT-1902]
+ - New test: Check availability sudoers file for future tests [AUTH-9250]
+ - New test: Query all home directories from passwd file [HOME-9302]
+ - Syslog-NG support added (binary and version check)
+ - Added new sections: Scheduling, Time and Synchronization, Virtualization
+
+ Changes:
+ - Extended several tests with suggestions and warnings
+ - Extended GRUB test with GRUB2 check [BOOT-5121]
+ - Extended iptables firewall test [FIRE-4511]
+ - Fixed incorrect variable at Linux kernel config display [KRNL-5728]
+ - Fixed display for file system test [FILE-6023]
+ - Reassigned some ID's to match others in category
+ - Improvement of several logging sections and profile options
+ - Assigned ID to Ubuntu security update check
+ - Assigned ID to pwck test for Solaris [AUTH-9230]
+ - Assigned ID to FreeBSD unused distfiles check [PKGS-7348]
+ - Assigned ID to RPM package query test [PKGS-7308]
+ - Assigned ID to /tmp sticky bit test [FILE-6362]
+ - Assigned ID to old temporary files check [FILE-6354]
+ - Assigned ID to passwd ID 0 test [AUTH-9204]
+ - Assigned ID to FreeBSD swap partitions [FILE-6332]
+ - Assigned ID to FreeBSD swap mount options [FILE-6336]
+ - Assigned ID to nameserver tests [NETW-2704 and NETW-2705]
+ - Assigned ID to pf consistency check [FIRE-4520]
+ - Assigned ID to Postfix configuration check [MAIL-8816]
+ - Assigned ID to Postfix banner check [MAIL-8818]
+ - Assigned ID to FreeBSD promiscuous port test [NETW-3014]
+ - Assigned ID to file permissions check [FILE-7524]
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.5 (2008-06-10)
+
+ New:
+ - Assigned ID to Apache configuration file test [HTTP-6624]
+ - Added pause_between_tests to profile file, to regulate the speed of a scan
+ - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345]
+ - Assigned ID to Solaris package test [PKG-7306]
+ - New test: which gathers virtual hosts from Apache configuration files [HTTP-6626]
+ - New test: read all loaded kernel modules (Linux) [KRNL-5726]
+ - New test: query available FreeBSD network interfaces [NETW-3004]
+ - New test: query available IPv4 and IPv6 network addresses [NETW-3008]
+ - New test: for MAC addresses [NETW-3006]
+ - New test: check if a Linux kernel configuration file is available [KRNL-5728]
+ - New test: check boot services for Debian/Ubuntu [BOOT-5180]
+ - Added Lynx, Nmap, Wget version to log file
+ - Added support for Oracle enterprise Linux (Unbreakable Linux)
+ - Added new function ReportWarning for better logging to report file
+
+ Changes:
+ - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302]
+ - Changed shell history file test, searching files with maxdepth 1 [HOME-9310]
+ - Extended iptables test, to check Linux kernel configuration file [FIRE-4511]
+ - Added report warning to promicuous test [NETW-3014]
+ - Fixed yellow color when being used at text display
+ - Several logging improvements and cleanups
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.4 (2008-05-31)
+
+ New:
+ - Added option to disable Lynis upgrade availability test (profile option)
+ - Added new option --check-update, to display (update) information
+ - Added stub for malware and file permissions database
+ - New section 'LDAP Services'
+ - Support for OpenLDAP added
+ - Place holders for new tests are added
+ - Default profile extended
+ - [FILE-6023] Added test for Linux ext2, ext3, ext4 file systems
+ - [BOOT-5155] Added check for YABOOT boot loader
+
+ Changes:
+ - [BANN-7119] Improved MOTD banner check
+ - Improved Apache tests for SuSE and Debian systems
+ - Debian/Ubuntu file tests improved
+ - Extended man page
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.3 (2008-05-21)
+
+ New:
+ - Added security updates check for Fedora, RHEL 5.x, CentOS 5.x
+ - Added Linux kernel version check
+ - Most stable tests have an unique ID now
+ - Skipped tests have their reason to skip logged
+ - Added /etc/lynis/plugins to searchable plugin directory targets
+ - Added Register() function, to handle tests, prerequisites and counter
+ - Added new crypto tests
+ - Added profile option "test_skip_always" to blacklist a specific test
+
+ Changes:
+ - Extended default profile location for FreeBSD
+ - Extended accounting test to include pacct as well
+ - Improved tests from categories: shells
+ - Disabled skel tests
+ - Several tests log their warnings into the report file now
+ - Changed Linux default runlevel test
+ - Extended man page
+
+ Fixes:
+ - Auditor name didn't get logged properly to report file.
+ - Changed Debian/Ubuntu kernel update test, so it won't be tested on others
+ - Exim test failed, due to using an incorrect variable name
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.2 (2008-05-11)
+
+ New:
+ - Added memory test for Solaris (tested on OpenSolaris)
+ - Password file consistency check for Solaris
+ - 32/64 bits OS mode check for Solaris
+ - Added Slackware detection
+ - Plugin support (see documentation)
+ - Added monolithic/modular test for Linux kernels
+
+ Changes:
+ - Improved LILO test and removed double message
+ - Fixed incorrect message when using --help parameter
+ - Improved portaudit test (FreeBSD) to show unique packages only
+ - Updated man page, FAQ, extended documention with plugin information
+ - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE)
+
+ ** Special release notes [package/ports]: **
+ - Added several default paths to check for usuable an INCLUDE directory. This
+ should make packaging Lynis easier for downstream package providers.
+ - When no profile is set, Lynis will check first /etc/lynis/default.prf,
+ before setting default.prf (in current work directory) as profile to use.
+ - New directory added to be installed for future versions: plugins
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.1 (2008-04-13)
+
+ New:
+ - Added Solaris package manager (pkginfo) to obtain installed packages
+ - Added new option to profile to whitelist promiscuous interfaces (if_promisc)
+ - Added vulnerable packages check for Debian/Ubuntu
+ - Added package database consistency check for Debian/Ubuntu
+
+ Changes:
+ - Only perform boot.conf check for OpenBSD when running on i386
+ - Changed RemovePIDFile to prevent incorrect file presence check (ie on OpenBSD)
+ - Better OS detection and display output for Ubuntu systems
+ - Improved text alignment (display) and logging
+ - Commented out some of the default profile options
+ - Updated FAQ, readme, man page
+
+ Bug fixes:
+ - Added missing space at OS detection function
+ - Fixed /etc/group tests to ignore commented lines
+ - Fixed sticky bit checking on /tmp, so it won't give incorrect results on
+ SuSE/Debian systems
+
+---------------------------------------------------------------------------------
+
+Lynis 1.1.0 (2008-04-09)
+
+ New:
+ - Added test: default gateway (Linux/BSD)
+ - Added boot tasks to report file (boottask)
+ - Added vulnerable packages to report file (vulnerable_package)
+
+ Changes:
+ - Fixed some typos
+ - Several improvements in log output
+ - Changed display of operating system version (Linux)
+ - Fixed PHP check
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.9 (2008-03-24)
+
+ New:
+ - Added --quiet option (currently not 100% quiet yet)
+ - Added a spec file to the project page (see web site)
+ - Added small INSTALL document
+
+ Changes:
+ - Changed check for PHP (php.ini location)
+ - Added available shells from /etc/shells to report file
+ - Updated man page
+ - Fixed option in main help window for --man option
+ - Code improvement, splitting up sections to seperated files
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.8 (2008-02-10)
+
+ New:
+ - Added pf filter rule test
+ - Added our PID to PID file
+ - Added warnings, real users, mount points, total tests to report file
+
+ Changes:
+ - Changed Apache configuration file test
+ - Changed old temporary files check
+ - Changed test to include ubuntu security repository
+ - Moved UID check to avoid PID creation as non root user
+ - Moved most functions to seperated files and several code cleanups
+ - Improved logging output
+ - Extended FreeBSD (Copyright file) test
+ - Changed indentation for many tests
+ - Changed some typos in notice/warning messages
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.7 (2008-01-28)
+
+ New:
+ - Test: UFS mount point check (FreeBSD)
+ - Test: Check swap partitions (FreeBSD)
+ - Test: find old files in /tmp
+ - Test: check presence iptables
+ - Test: check CPU PAE/NX support (Linux)
+ - Added profile options check
+ - Added option to skip Debian security repository check (profile option)
+ - Support for Red Hat and CentOS
+
+ Changes:
+ - Changed report log location to /var/log instead of current work directory
+ - Changed --help (and -h) to display general help, instead of man page
+ - Renamed -man option to --man
+ - Extended profile file (see default.prf)
+ - Cleaned up code (rewritten several parts of static code to dynamic
+ functions)
+ - Added more comments to the program, for curious auditors, developers and
+ users. Also regrouped parts of text and cleaned useless white spaces.
+ - General program output improved (spaces, indentation)
+ - Logging extended
+ - Updated lynis.spec file (contrib)
+ - FAQ and README files extended and updated
+
+ Bugfixes:
+ - Changed postfix banner check (thanks to Henk Bokhoven for reporting)
+ - Extended skel directory test, with -A (ls) option to check hidden files
+ (used with most Linux variants)
+
+ Development:
+ - Added new mirror
+ - Updated year number in program and support files
+ - Added new function Display, to use indentation within lines
+ - Added function RemovePIDFile before some exit routines, to clean up PID file
+ - Extracted profile support, parameter support to seperated files
+ - Created file tests_ports_packages for Ports and Packages
+ - Deleted lynis.spec file, since it was not working and will be rewritten later
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.6 (2007-12-26)
+
+ New:
+ - Added Solaris real users test
+ - Added hostname check
+
+ Changes:
+ - Added chkconfig binary test and changed related services test
+ - Added 'xargs' to version checks, to replace unwanted chars
+ - Added more breaks to log file.
+ - Added sorting to rpm/dpkg listings
+ - FAQ extended
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.5 (2007-12-02)
+
+ New:
+ - Test: unique group names
+ - Test: unique group IDs
+ - Added check for rpm, chkrootkit and rkhunter binary
+ - Added function to cleanup at manual interrupt (INT)
+ - Support added to run Lynis as cronjob (--cronjob)
+ - Fedora support added
+ - Added umask 027, to tighten up file permissions
+
+ Changes:
+ - Changed FreeBSD ttys test
+ - Changed grpck test, to operate in read-only mode
+ - Changed Postfix test, to check for mail_name value as well
+ - Changed GPL line in script which said GPL v2
+ - Extended README
+ - Show latest update version, if available, at the end of the screen output
+ - Lots of code cleanup (see Development)
+ - Some log improvements
+ - Changed date notation in changelog to preferred European format (with dots
+ instead of slashes)
+
+ Development:
+ - New function (ShowResult) to avoid repeating the same result line
+ within the script for standard status values
+ - Moved program consts to file (include/consts)
+ - Moved functions to file (include/functions)
+ - Moved OS detection to file (include/osdetection)
+ - Added NEVERBREAK to avoid user input (cronjob support)
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.4 (2007-11-27)
+
+ New:
+ - Test: query real system users (FreeBSD/Linux)
+ - Added PID file usage, to warn for unclean program states.
+ - Added SSHd version test
+
+ Changes:
+ - Updated documentation
+ - Changed sticky bit test (/tmp), to skip symlinks
+ - Changed /etc/motd test, to skip symlinks
+ - More code cleanup
+ - Logging extended and improved
+ - Screen output slightly changed
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.3 (2007-11-19)
+
+ New:
+ - Added check for sockstat
+ - Test: added test for GRUB and password option
+ - Test: query listening ports (sockstat)
+
+ Changes:
+ - Fixed NTPd check (bug)
+ - Extended help for 'double installed package' check (BSD systems, pkg_info)
+ - Extended Debian kernel update check
+ - Improved OpenBSD support
+ - Improved Linux specific detection support (Cobalt, CPU Builders, Debian,
+ E-Smith, Slackware, SuSE/OpenSuSE, Turbo Linux, Yellowdog and others)
+ - Improved screen output
+ - Extended logging, with status/impact flags
+ - [Bugfix] chkconfig test improved
+ - [Bugfix] Fixed sticky bit test at Debian
+ - Extended documentation and changelog file
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.2 (2007-11-15)
+
+ New:
+ - Test: Added check for NTP daemon or client
+ - Test: file permissions (profile option)
+ - Added -Q (--quick) parameter, to run the program without needing user
+ input after every few sections.
+
+ Changes:
+ - Extended documentation (README file) and performed spell check
+ - Improved screen output (colors, parameter handling and display)
+ - Cleaned up source code and fixed some bad typos
+ - Added much more delimiter lines to logfile
+ - Added version numbers to logfile for used binaries/tools
+ - Updated list of parameters within Lynis help
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.1 (2007-11-12)
+
+ New:
+ - Test: check Exim configuration file location
+ - Test: added memory check (/proc/meminfo)
+ - Test: run grpck to check group files (if available)
+ - Test: boot option check for OpenBSD boot loader
+ - Test: check if pf (Software: firewall) is active
+ - Test: check LILO password
+ - Test: check presence of old distfiles (FreeBSD)
+ - Added check for binaries: httpd, kldstat, openssl, (s)locate
+ - Added version check for: exim, openssl
+ - Added -V (--version) parameter, to show version number
+ - Added breaks between tests
+
+ Changes:
+ - [bug] Changed skel directory check
+ - Fixed display Apache configuration file
+
+---------------------------------------------------------------------------------
+
+Lynis 1.0.0 (2007-11-08)
+
+ New:
+ - Support for CentOS (Tested: 5 Final)
+ - Support for Debian (Tested: 4.0)
+ - Support for FreeBSD (Tested: 6.2)
+ - Support for Mac OS X (Tested: 10.4)
+ - Test: Apache (ServerTokens option)
+ - Test: PHP (expose_php option)
+ - Test: Postfix (smtpd_banner option)
+ - Test: check valid shells
+ - Test: query pkg_info/RPM based systems
+ - Test: query pkg_info for double installed packages
+ - Test: query chkprintcap (FreeBSD)
+ - Test: scan binary directories
+ - Test: check administrator accounts
+ - Test: check permissions /etc/motd
+ - Test: read nameservers from /etc/resolv.conf
+ - Test: query nameservers and test connectivity
+ - Test: check promiscuous interfaces (FreeBSD)
+ - Test: check sticky bit on /tmp directory
+ - Test: check debian.org security brance in /etc/apt/sources.list
+ - Test: check kernel update on Debian
+ - Test: query default Linux run level
+ - Test: query chkconfig to see which services start at boot
+ - Test /etc/COPYRIGHT banner check for FreeBSD
+ - Support for program parameters
+ - Builtin integrity checks
+ - Color enhanced output for readability
+ - Support for profiles/templates
+ - Report file creation (for reporting/monitoring)
+ - Extended logfile creation (with system suggestions)
+ - Added lynis.spec file for RPM creation
+ - Created project page at website
+ - Added documentation (README), ToDo list (TODO)
+ - Man page lynis(8)
+
+ Changes:
+ - No changes
+
+ Bugfixes:
+ - No bugfixes
+
+
+==========================================================================================
+ Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..660b7e18af23
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,62 @@
+# Maintainer : Kr1ss $(tr +- .@ <<<'<kr1ss+x-yandex+com>')
+# Contributor : Levente Polyak <anthraxx[at]archlinux[dot]org>
+# Contributor : Sébastien Luttringer <seblu@aur.archlinux.org>
+
+
+pkgname=lynis3
+_pkgname="${pkgname%[0-9]*}"
+
+pkgver=3.0.0
+pkgrel=1
+
+pkgdesc='Security and system auditing tool to harden Unix/Linux systems'
+url="https://cisofy.com/$_pkgname"
+arch=('any')
+license=('GPL3')
+
+provides=("$_pkgname=$pkgver")
+conflicts=("$_pkgname")
+
+depends=('sh' 'awk')
+optdepends=('net-tools: networking tests'
+ 'bind-tools: nameserver tests'
+ 'iptables: firewall tests'
+ 'bash-completion: completion for bash')
+
+changelog=CHANGELOG.md
+backup=("etc/$_pkgname/default.prf")
+source=("https://downloads.cisofy.com/$_pkgname/$_pkgname-$pkgver.tar.gz"{,.asc})
+sha512sums=('2f156002ff1cfcd2333c95b57e82e76260364fa58419b9414f2bb461aa77a22c2f1af57a6a934e88030baeb69aa9c274045cfcef359eb496d10acd5b886cb856'
+ 'SKIP')
+validpgpkeys=('73AC9FC55848E977024D1A61429A566FD5B79251') # CISOfy (Software Signing Key) <security@cisofy.com>
+
+
+prepare() {
+ cd "$_pkgname"
+ sed -e "s|/path/to/$_pkgname|/usr/bin/$_pkgname|g" -i "extras/systemd/$_pkgname.service"
+}
+
+package() {
+ cd "$_pkgname"
+
+ # application
+ install -Dm755 "$_pkgname" -t"$pkgdir/usr/bin/"
+ install -Dm644 default.prf -t"$pkgdir/etc/$_pkgname/"
+ install -dm755 "$pkgdir/usr/share/$_pkgname"
+ cp -ra db include plugins "$pkgdir/usr/share/$_pkgname/"
+ chmod 644 "$pkgdir/usr/share/$_pkgname"/{include/*,db/{*.db,languages/*}}
+ chmod +x "$pkgdir/usr/share/$_pkgname"/include/{consts,functions}
+
+ # doc files
+ install -Dm644 README INSTALL *.md FAQ -t"$pkgdir/usr/share/doc/$_pkgname/"
+ install -Dm644 "$_pkgname.8" -t"$pkgdir/usr/share/man/man8/"
+
+ # bash completion
+ install -Dm644 "extras/bash_completion.d/$_pkgname" -t"$pkgdir/usr/share/bash-completion/completions/"
+
+ # systemd units
+ install -Dm644 "extras/systemd/$_pkgname".{service,timer} -t"$pkgdir/usr/lib/systemd/system/"
+}
+
+
+# vim: ts=2 sw=2 et ft=PKGBUILD: