-
Notifications
You must be signed in to change notification settings - Fork 1
/
CHANGELOG
967 lines (828 loc) · 35.8 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
================================================================================
Lynis - Changelog
================================================================================
Author: Michael Boelen (michael@rootkit.nl)
Description: Security and system auditing tool
Website: http://www.rootkit.nl/projects/lynis.html
Support policy: See section 'Support' (README file)
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
* 1.3.0 (2011-12-25)
New:
- Profile option: ignore_home_dir
- TCP wrappers category added
- Tooling category added
- Initial extensions to support plugins in the future
- Test for unpurged Debian packages [PKGS-7346]
- Test for compiler permissions [HRDN-7222]
Changes:
- Converted all dates to ISO format and updated copyright lines
- Correct suggestion for file integrity tool [FINT-4350]
- Added hint when RPM list is empty on DPKG based systems [PKGS-7308]
- Changed logging for /etc/security/limits.conf file [KRNL-5820]
- Fixed incorrect warning for single user mode [AUTH-9308]
- Improved output for stratum 16 time servers [TIME-3116]
- Added suggestion and screen output for kernel hardening [KRNL-6000]
- Screen layout optimalizations and log file improvements
- Improved list/layout of scan options
- Improved binary check for compilers
- Added configuration option in scan profile (show_tool_tips, default true)
--
* 1.2.9 (2009-12-15)
New:
- Support for Squid3
- Added Squid unsafe ports check [SQD-3624]
- Added Squid configuration file permission check [SQD-3613]
- Added Squid test: reply_body_max_size option [SQD-3630]
- Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328]
- Check PHP option allow_url_include [PHP-2378]
Changes:
- Extended possible Squid configuration file locations
- Added additional sysctl keys to default profile
- Fixed typo in squid.conf checks
- Improved descriptions, logging and reporting for several tests
- Corrected /etc/security/limits.conf path in test [KRNL-5820]
- Updated man page, limited lines to 80 chars
--
* 1.2.8 (2009-12-08)
New:
- Squid support added
- Squid daemon detection [SQD-3602]
- Squid configuration file search [SQD-3604]
- Squid version detection [SQD-3606]
- Check /etc/motd banner [BANN-7122]
- Check /etc/issue.net file [BANN-7128]
- Check contents in /etc/issue.net [BANN-7130]
- Solaris single user mode login check (/etc/default/sulogin) [AUTH-9304]
- HP-UX boot authentication check [AUTH-9306]
- Linux single user mode authentication check [AUTH-9308]
- Solaris account locking policy check [AUTH-9340]
Changes:
- Added prerequisite to SSH test, so the test is skipped properly [SSH-7440]
- Check for /etc/issue symlink [BANN-7124]
- Added file check for possible harmful shells found [AUTH-9218]
- Add user home directories to report [HOME-9302]
- Extended Linux run level test with support for Debian/Ubuntu [KRNL-5622]
- Added /lib64/security to PAM test [AUTH-9262]
- Extended security repository check [PKGS-7388]
- Iptables check should not check for a module in a Linux config [FIRE-4511]
- Ignore APC ups daemon when scanning for CUPS [PRNT-2304]
- Improved kernel logger daemon check [LOGG-2138]
- Added auditctl to binary check [ACCT-9630]
- Log used auditd ruleset [ACCT-9630]
- Corrected logging of Solaris c2audit module [ACCT-9656]
- Fixed warning function for Solaris passwordless accounts [AUTH-9254]
- Commented kern.randompid in default profile
- For sysctl the parameter -n will be used on Linux systems
- Changed syslog daemon detection and state
- Extended report file
--
* 1.2.7 (2009-11-01)
New:
- Added Kernel Hardening section
- Sysctl audit support in scan profile and related test [KRNL-6000]
- SSH option StrictModes test [SSH-7416]
- Password aging limit check [AUTH-9286]
- Ubuntu packages check (apt-show-versions) [PKGS-7394]
- Check for metalog daemon [LOGG-2210]
- USB storage driver state check [STRG-1840]
- Firewire storage driver state check [STRG-1846]
- PostgreSQL process check [DBS-1826]
- Oracle process check [DBS-1840]
- Default umask check [AUTH-9328]
- Check for rsyslog daemon [LOGG-2230]
- RFC 3195 compliant daemon check [LOGG-2240]
- Qmail SMTP daemon check [MAIL-8940]
- Test for separation of /tmp and /home from root file system [FILE-6310]
- SSH AllowUsers and AllowGroups usage check [SSH-7440]
- AIX support, thanks to Michael Smerdka
Changes:
- Fixed crontabs path [SCHD-7704]
- Extended locate database paths for Linux and FreeBSD [FILE-6410]
- pflog detection fix [FIRE-4518]
- Skip /proc/meminfo for non Linux systems [PROC-3602]
- Extended text with rsyslogd [LOGG-2130]
- Ignore comment and empty lines for group tests [AUTH-9222/9226]
- Show firewall as active when iptables is available in config file [FIRE-4511]
- Variable fix for SNMP daemon configuration file [SNMP-3304]
- Freshclam check fix [MALW-3286]
- Fixed waiting search for NIS domain [NAME-4306]
- Check for a maximum of 1 search statement in /etc/resolv.conf [NAME-4018]
- Apache test improved [HTTP-6622]
- Skip klogd test if rsyslogd is available [LOGG-2138]
- Added additional CUPS location to search paths
- Only execute PAM test for systems with PAM [AUTH-9268]
- Fixed logging of sudoers file location [AUTH-9250]
- Improved FreeBSD support for NTP client check [TIME-3104]
- Redirect warning "Unknown host" when DNS domain name is empty [NAME-4028]
- Redirect warning when host name is empty
- Fixed warning color [AUTH-9226]
- Fixed FreeBSD COPYRIGHT file test [BANN-7113]
- Changed text for sudoers text [AUTH-9250]
- Improved text for DNS search domain [NAME-4016]
- Skip nginx configuration test if nginx is not available [HTTP-6704]
- Removed portsclean suggestion [PKGS-7348]
- Fixed non unique IDs
- Fixed cosmetic issue when using Debian with default dash shell
- Improved hostname detection for HP-UX
- Added additional php.ini file locations
- Moved Linux default shell check to OS detection functions
- Fixed CUPS daemon test [PRNT-2304]
- Also check for uppercase chars in issue file [BANN-7126]
--
* 1.2.6 (2009-04-05)
New:
- Sudoers file permissions check [AUTH-9252]
- Core dumps configuration check for Linux [KRNL-5820]
- PHP disabled functions check [PHP-2320]
- PHP enable_dl function check [PHP-2374]
- PHP allow_url_fopen function check [PHP-2376]
- OpenBSD smtpd status check [MAIL-8920]
- /etc/issue check [BANN-7124]
- /etc/issue legal keywords check [BANN-7126]
- Show suggestions in report
Changes:
- Extended support for Red Hat, CentOS and Fedora
- Extended ACL test to test for default mount options as well [FILE-6368]
- Exim status test fixed [MAIL-8812]
- Corrected yum security check [PKGS-7386]
- Replaced LDAP test AUTH-9238 with [AUTH-9402]
- Removed backquotes when locate database is not available [FILE-6410]
- Added /etc/openldap to search path for OpenLDAP
- Fixed typo in crontab path [SCHD-7704]
- Don't show message "No volume groups found" if LVM isn't used [FILE-6310]
- Corrected Syslog-NG status [LOGG-2132]
- Moved TODO to dev directory
--
* 1.2.5 (2009-03-27)
New:
- slapd.conf check [LDAP-2224]
- atd status test [SCHD-7718]
- Check LDAP module in PAM [AUTH-9278]
- Check Dovecot status check [MAIL-8838]
- Check log directories from newsyslog.conf [LOGG-2162]
- Check log directories from static list [LOGG-2170]
- Check log directories from logrotate configuration [LOGG-2150]
- syslog check for remote logging [LOGG-2154]
- Open log files check [LOGG-2180]
- Deleted file check [LOGG-2190]
- Solaris active kernel modules check [KRNL-5770]
- Solaris audit daemon status check [ACCT-9650]
- Solaris audit daemon service status [ACCT-9652]
- Solaris audit daemon BSM check [ACCT-9654]
- Solaris audit logging location check [ACCT-9662]
- Solaris audit statistics check [ACCT-9672]
- Check for installed compiler [HRDN-7202]
- BIND process check [NAME-4202]
- BIND configuration file check [NAME-4204]
- BIND configuration consistency check [NAME-4206]
- BIND version check via DNS [NAME-4210]
- Default domain check (/etc/resolv.conf) [NAME-4016]
- Search domains in /etc/resolv.conf check [NAME-4018]
- Parse /etc/resolv.conf options [NAME-4020]
- Solaris /etc/nodename check [NAME-4026]
- DNS domain checks [NAME-4028]
- NSCD status check [NAME-4032]
- PowerDNS presence check [NAME-4230]
- PowerDNS configuration file check [NAME-4232]
- PowerDNS backend check [NAME-4236]
- ypbind status check [NAME-4302]
- Log specific defined SSH daemon options [SSH-7408]
- SSH protocol version check [SSH-7414]
- NIS domain checks [NAME-4304]
- Check pending at jobs [SCHD-7724]
- LVM volume group scan [FILE-6310]
- LVM volumes check [FILE-6312]
- Locate database check [FILE-6410]
- nginx configuration file check [HTTP-6704]
- Exim status check [MAIL-8802]
- Postfix status check [MAIL-8814]
Changes:
- atd needs to run before testing at files [SCHD-7720]
- Removed Solaris OS requirement from logrotate test [LOGG-2148]
- Sanitized output from logrotate test [LOGG-2148]
- Skip comment fields in loghost check [LOGG-2152]
- Changed auditd tests to Linux only
- Binary scan optimized and partially combined with other check
- Only perform iptables tests if kernel module is active
- Don't show message when /etc/shells can't be found [SHLL-6211]
- Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
- Renumbered FreeBSD test SHLL-7225 [SHLL-6202]
- Renumbered malware test MALW-3292 [HRDN-7230]
- Improved grep on process status [PRNT-2304]
- Ignore comment lines for nginx log file check [HTTP-6720]
- Added file check for nginx log files [HTTP-6720]
- Display IP addresses only of NTP tests [TIME-3124]
- Fixed Postfix configuration directory path [MAIL-8816]
- Redirected output of yum package duplicate check [PKGS-7384]
- Ignore comment lines for lilo test [BOOT-5139]
- Fixed incorrect iptables status and correct logging [FIRE-4511]
- Check SNMP configuration only if SNMP daemon runs [SNMP-3304]
- Don't scan PAM directories which are symlinks [AUTH-9268]
- Changed hardening category to hardening_tools
- Adjusted hardening points of several tests
- Log and display improvements for several tests
--
* 1.2.4 (2009-03-17)
New:
- NTP daemon process test [TIME-3108]
- NTP association ID's check from peer list [TIME-3112]
- NTP time source candidates test [TIME-3128]
- NTP falseticker check [TIME-3132]
- NTP protocol version check [TIME-3136]
- Stratum 16 ntp peers check [TIME-3116]
- Unreliable ntp peers check [TIME-3120]
- Preferred NTP time source test [TIME-3124]
- auditd presence check [ACCT-9628]
- auditd rules check [ACCT-9630]
- auditd configuration file check [ACCT-9632]
- auditd log file location check [ACCT-9634]
- cupsd status check [PRNT-2304]
- cupsd configuration file check [PRNT-2306]
- cupsd address configuration test [PRNT-2308]
- pam.conf configuration check [AUTH-9264]
- pam.d configuration file scan [AUTH-9266]
- PAM modules check [AUTH-9268]
- rpcinfo query [STRG-1902]
- NFS version number check [STRG-1904]
- NFS protocol and port number check [STRG-1906]
- NFS status check [STRG-1920]
- NFS exports check [STRG-1926]
- NFS empty /etc/exports [STRG-1928]
- SSH PermitRootLogin option check [SSH-7412]
- at.allow and at.deny check [SCHD-7720]
- File integrity tool check [FINT-4350]
- nginx process check [HTTP-6702]
- nginx log file test [HTTP-6720]
- ClamAV clamscan presence test [MALW-3282]
- ClamAV daemon check [MALW-3284]
- ClamAV freshclam check [MALW-3286]
- Check for presence malware scanner [MALW-3292]
- clamscan, ntpq binary check
- NTP daemon role and profile option
- Parameter --tests-category, to scan one or more categories
- Category added (Storage: NFS)
- Added hardening points to tests
- Display hardening index to report
Changes:
- Extended logrotate test [LOGG-2148]
- Added check for inetd.conf before performing test [INSE-8016]
- Added /var/spool/crontabs to search path [TIME-3104]
- Added log line to sysstat test [ACCT-9626]
- Improved screen output on Solaris
- Checking for both rdate and ntpdate in cron files [TIME-3104]
- Changed yum-security package check [PKGS-7386]
- Change output if dig isn't available [NETW-2705]
- Added IPv6 support and output adjustment [NETW-2704]
- Cosmetic change for host based firewall check [FIRE-4590]
- Corrected output in log file [PKGS-7388]
- Corrected passwd options for Red Hat [AUTH-9282]
- Changed text if everything is ok (no warnings)
- Log improvements
--
* 1.2.3 (2009-03-02)
New:
- Added syslog-NG daemon check [LOGG-2132]
- Added klogd status test [LOGG-2138]
- Added check to determine minilogd presence [LOGG-2142]
- Added logrotate configuration test [LOGG-2146]
- Added check for loghost entry on Solaris machines [LOGG-2152]
- Added ipf test for Solaris [FIRE-4526]
- Added uname -n test (Solaris) [NAME-4024]
- Added ssh daemon configuration file check [SSH-7404]
- Added BSD newsyslog.conf file check [LOGG-2160]
- Added inetd status check [INSE-8002]
- Added inetd.conf configuration check [INSE-8004]
- Added check for inetd.conf when inetd is not active [INSE-8006]
- Added telnet check via inetd [INSE-8016]
- Added ACL check on root file system [FILE-6368]
- Added check for firewall/packet filter on system [FIRE-4590]
- Added lograte file check [LOGG-2148]
- Added snmp daemon status test [SNMP-3302]
- Added snmp configuration file test [SNMP-3304]
- Added default snmp community strings test [SNMP-3306]
- Added categories: Insecure services and SNMP
- Added binary searches for awk, ipf
Changes:
- Changed profile name in default profile
- Added path /usr/ucb to binary paths
- Changed color to white if slapd is not running [LDAP-2219]
- Changed test PKG-7345 into PKGS-7345
- Changed logging for several tests [PKGS-7302] [NETW-3004]
- Extended FAQ
- Changed default profile header
Fixes:
- Hostname detection under Solaris
- Disabled tests PROC-3612 PROC3614 for Solaris machines
- Disabled NTP check in cron.d directory on Solaris [TIME-3104]
- Added result at line when querying system users [AUTH-9234]
- Counters (N+1) fixed for some shells, like Solaris
- Removed unneeded line for Solaris test [PROC-3604]
- Disabled grsecurity test for Solaris [RBAC-6272]
- Correct display of files with spaces [FILE-6354]
- Changed several tests so they work correctly with Solaris
--
* 1.2.2 (2009-02-15)
New:
- Support for MySQL client
- New test: Test for empty MySQL root password [DBS-1816]
- New test: SSH daemon status test [SSH-7402]
- New test: sysstat account information [ACCT-9626]
- New test: connections in WAIT state [NETW-3028]
- Lynis displays a warning now, if current version is really outdated
- New parameter option (log_tests_incorrect_os) to minimize logging
Changes:
- Several adjustments to default profile
- Fixed option 'skip_test_always' to let it function properly
- Fixed passwd check for SuSE systems [AUTH-9282]
- Added error redirect for dpkg test [PKG-7345]
- Improved NTP test and messages, excluded check when using xen [TIME-3104]
- Extended DNS nameserver check with local resolver [NETW-2704]
- Skip double nameserver check when a local resolver is found [NETW-2705]
- Renamed tests_nameserver to tests_nameservices
- Improved log output [AUTH-9218]
Notes:
- Custom profiles should be compared to the default profile, due small changes
in the structure.
--
* 1.2.1 (2008-09-05)
New:
- Added support for Samba
- Added support for SELinux framework
- New test: SELinux presence test [MACF-6232]
- New test: SELinux status checks [MACF-6234]
- New test: password PAM availability check [AUTH-9262]
- New test: expire date check for accounts [AUTH-9282]
- Added new option --tests, to run a small set of tests only
Changes:
- Report and logging messages improved
- Output reduced when using --tests
- Added suggestion to PHP expose_php option [PHP-2372]
- Improved log message for PHP register_globals option [PHP-2368]
- Added virtual host count to log file [HTTP-6626]
- Improved Red Hat and clones detection and display
- Fix: Improved promiscuous detection for Linux [NETW-3015]
- Fix: AUTH-9204 test triggered on group ids as well
- Fix: Only display unique MAC addresses [NETW-3006]
- Extended Postfix test [MAIL-8818]
- Don't show /proc/meminfo if not present [PROC-3602]
- Don't show YABOOT information if not present [BOOT-5155]
- Improved portaudit test (FreeBSD) [PKGS-7382]
- Improved portsclean test (FreeBSD) [PKGS-7348]
- Added --quiet and --tests options to help and man page
--
* 1.2.0 (2008-08-26)
New:
- New test: Passwordless Solaris accounts test [AUTH-9254]
- New test: AFICK file integrity [FINT-4310]
- New test: AIDE file integrity [FINT-4314]
- New test: Osiris file integrity [FINT-4318]
- New test: Samhain file integrity [FINT-4322]
- New test: Tripwire file integrity [FINT-4326]
- New tests: NIS and NIS+ authentication test [AUTH-9240/42]
- Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire
Changes:
- Changed text of grsecurity test [RBAC-6272]
- Optimized FreeBSD boot services test [BOOT-5165]
- Optimized UID 0 test [AUTH-9204]
- Extended login shells test [AUTH-9218]
- PID file message extended and small output improvement
- A log entry will be written when PID files are removed
- Added operating system name to log file when a test is skipped
- Added file available check when using --view-manpage
- Most program variables are initialized now for future additions
--
* 1.1.9 (2008-08-09)
New:
- New test: AppArmor framework check [MACF-6204]
- New test: FreeBSD boot loader test [BOOT-5124]
- New test: PHP option register_globals [PHP-2368]
- New test: Promiscuous network interfaces (Linux) [NETW-3015]
- Report option 'bootloader' added to several tests
- Added readlink binary check
Changes:
- Extended file check (IsWorldWritable) for symlinks
- Show result if no default gateway is found [NETW-3001]
- Added /usr/local/etc to sudoers test [AUTH-9250]
- Improved FreeBSD banner output [BANN-7113]
- Removed incorrect line at promiscuous interface test [NETW-3014]
- Fix: Show only once the GRUB test output [BOOT-5121]
- Fix: Typo in NTP test [TIME-3104]
- Fix: Skip NTP test in /etc/cron.d if empty [TIME-3104]
- Fix: Initialize values when performing an update check without connection
- Fix: Solaris id function has been fixed
- Disabled FreeBSD double packages tests, due minor issues [PKGS-7303]
- Changed LDAP/MySQL running states [LDAP-2219] [DBS-1804]
- Replaced ifconfig calls with IFCONFIGBINARY
- Renamed tests_auditing to tests_mac_frameworks
- Several tests improved with extended logging
--
* 1.1.8 (2008-07-16)
New:
- Mac OS X support extended and new options added
Changes:
- Extended default profile
- Improved several screen output lines
- User ID check improved, so it works better with older Solaris versions
- Hostname in output and reports will contain only host now, not FQDN
- Added extra php.ini locations to tests_php
- Replaced 'ps' in tests with PSBINARY value for better support
- Added output to zones test [VIRT-1902]
- Updated description [AUTH-9218]
- Extended ntp daemon/ntpdate check [TIME-3104]
- Added suggestion to bootable scripts check [BOOT_5184]
- Bugfix and improvement for FreeBSD portsclean test [PKGS-7348]
- Added Mac OS support to MAC address gathering test [NETW-3006]
- Added MAC OS support to inet and inet6 addresses test [NETW-3008]
- Extended PHP expose_php test to support additional options [PHP-2372]
- Improved LDAP test so it skips correctly on Mac OS AUTH-9238]
- Bugfix: MySQL status check gave incorrect output [DBS-1804]
--
* 1.1.7 (2008-06-28)
New:
- New test: check for unused iptables rules [FIRE-4513]
- New test: checking for dead and zombie processes [PROC-3612]
- New test: checking for heavy IO waiting processes [PROC-3614]
- Initial HP-UX support (untested)
- Initial AIX support (untested)
- Added iptables binary check
- Added dig check, for DNS related tests
- Added option --no-colors to remove all colors from screen output
- Added option --reverse-colors for optimizing output at light backgrounds
(Konsole, MacOS terminal etc)
Changes:
- Improved grpck test for SuSE [AUTH-9216]
- Added dig availability check to DNS test [NETW-2704]
- Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512]
- Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384]
- Bugfix: Fixed prequisits for grpck test [AUTH-9216]
- Improved MySQL check [DBS-1804]
- Changed color at chkconfig boot services test [BOOT-5177]
- Added missing prequisits output to portaudit test [PKGS-7382]
- Test output for FreeBSD mounts (UFS) improved [FILE-6329]
- Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219]
- Several tests have their warning reporting improved
- Improved SuSE Linux detection
- Improved syslog-ng detection
- Adjusted README with link to online (extended) documentation
--
* 1.1.6 (2008-06-19)
New:
- New test: Check writable startup scripts [BOOT-5184]
- New test: Syslog-NG consistency check [LOGG-2134]
- New test: Check yum-utils package and scanning package database [PKGS-7384]
- New test: Test for empty ruleset when iptables is loaded [FIRE-4512]
- New test: Check for expired SSL certificates [CRYP-7902]
- New test: Check for LDAP authentication support [AUTH-9238]
- New test: Read available crontab/cron files [SCHD-7704]
- New test: Query Solaris running zones [VIRT-1902]
- New test: Check availability sudoers file for future tests [AUTH-9250]
- New test: Query all home directories from passwd file [HOME-9302]
- Syslog-NG support added (binary and version check)
- Added new sections: Scheduling, Time and Synchronization, Virtualization
Changes:
- Extended several tests with suggestions and warnings
- Extended GRUB test with GRUB2 check [BOOT-5121]
- Extended iptables firewall test [FIRE-4511]
- Fixed incorrect variable at Linux kernel config display [KRNL-5728]
- Fixed display for file system test [FILE-6023]
- Reassigned some ID's to match others in category
- Improvement of several logging sections and profile options
- Assigned ID to Ubuntu security update check
- Assigned ID to pwck test for Solaris [AUTH-9230]
- Assigned ID to FreeBSD unused distfiles check [PKGS-7348]
- Assigned ID to RPM package query test [PKGS-7308]
- Assigned ID to /tmp sticky bit test [FILE-6362]
- Assigned ID to old temporary files check [FILE-6354]
- Assigned ID to passwd ID 0 test [AUTH-9204]
- Assigned ID to FreeBSD swap partitions [FILE-6332]
- Assigned ID to FreeBSD swap mount options [FILE-6336]
- Assigned ID to nameserver tests [NETW-2704 and NETW-2705]
- Assigned ID to pf consistency check [FIRE-4520]
- Assigned ID to Postfix configuration check [MAIL-8816]
- Assigned ID to Postfix banner check [MAIL-8818]
- Assigned ID to FreeBSD promiscuous port test [NETW-3014]
- Assigned ID to file permissions check [FILE-7524]
--
* 1.1.5 (2008-06-10)
New:
- Assigned ID to Apache configuration file test [HTTP-6624]
- Added pause_between_tests to profile file, to regulate the speed of a scan
- Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345]
- Assigned ID to Solaris package test [PKG-7306]
- New test: which gathers virtual hosts from Apache configuration files [HTTP-6626]
- New test: read all loaded kernel modules (Linux) [KRNL-5726]
- New test: query available FreeBSD network interfaces [NETW-3004]
- New test: query available IPv4 and IPv6 network addresses [NETW-3008]
- New test: for MAC addresses [NETW-3006]
- New test: check if a Linux kernel configuration file is available [KRNL-5728]
- New test: check boot services for Debian/Ubuntu [BOOT-5180]
- Added Lynx, Nmap, Wget version to log file
- Added support for Oracle enterprise Linux (Unbreakable Linux)
- Added new function ReportWarning for better logging to report file
Changes:
- Improved FreeBSD pkg_info output, logging output and report data [PKG-7302]
- Changed shell history file test, searching files with maxdepth 1 [HOME-9310]
- Extended iptables test, to check Linux kernel configuration file [FIRE-4511]
- Added report warning to promicuous test [NETW-3014]
- Fixed yellow color when being used at text display
- Several logging improvements and cleanups
--
* 1.1.4 (2008-05-31)
New:
- Added option to disable Lynis upgrade availability test (profile option)
- Added new option --check-update, to display (update) information
- Added stub for malware and file permissions database
- New section 'LDAP Services'
- Support for OpenLDAP added
- Place holders for new tests are added
- Default profile extended
- [FILE-6023] Added test for Linux ext2, ext3, ext4 file systems
- [BOOT-5155] Added check for YABOOT boot loader
Changes:
- [BANN-7119] Improved MOTD banner check
- Improved Apache tests for SuSE and Debian systems
- Debian/Ubuntu file tests improved
- Extended man page
--
* 1.1.3 (2008-05-21)
New:
- Added security updates check for Fedora, RHEL 5.x, CentOS 5.x
- Added Linux kernel version check
- Most stable tests have an unique ID now
- Skipped tests have their reason to skip logged
- Added /etc/lynis/plugins to searchable plugin directory targets
- Added Register() function, to handle tests, prerequisites and counter
- Added new crypto tests
- Added profile option "test_skip_always" to blacklist a specific test
Changes:
- Extended default profile location for FreeBSD
- Extended accounting test to include pacct as well
- Improved tests from categories: shells
- Disabled skel tests
- Several tests log their warnings into the report file now
- Changed Linux default runlevel test
- Extended man page
Fixes:
- Auditor name didn't get logged properly to report file.
- Changed Debian/Ubuntu kernel update test, so it won't be tested on others
- Exim test failed, due to using an incorrect variable name
--
* 1.1.2 (2008-05-11)
New:
- Added memory test for Solaris (tested on OpenSolaris)
- Password file consistency check for Solaris
- 32/64 bits OS mode check for Solaris
- Added Slackware detection
- Plugin support (see documentation)
- Added monolithic/modular test for Linux kernels
Changes:
- Improved LILO test and removed double message
- Fixed incorrect message when using --help parameter
- Improved portaudit test (FreeBSD) to show unique packages only
- Updated man page, FAQ, extended documention with plugin information
- Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE)
** Special release notes [package/ports]: **
- Added several default paths to check for usuable an INCLUDE directory. This
should make packaging Lynis easier for downstream package providers.
- When no profile is set, Lynis will check first /etc/lynis/default.prf,
before setting default.prf (in current work directory) as profile to use.
- New directory added to be installed for future versions: plugins
--
* 1.1.1 (2008-04-13)
New:
- Added Solaris package manager (pkginfo) to obtain installed packages
- Added new option to profile to whitelist promiscuous interfaces (if_promisc)
- Added vulnerable packages check for Debian/Ubuntu
- Added package database consistency check for Debian/Ubuntu
Changes:
- Only perform boot.conf check for OpenBSD when running on i386
- Changed RemovePIDFile to prevent incorrect file presence check (ie on OpenBSD)
- Better OS detection and display output for Ubuntu systems
- Improved text alignment (display) and logging
- Commented out some of the default profile options
- Updated FAQ, readme, man page
Bug fixes:
- Added missing space at OS detection function
- Fixed /etc/group tests to ignore commented lines
- Fixed sticky bit checking on /tmp, so it won't give incorrect results on
SuSE/Debian systems
--
* 1.1.0 (2008-04-09)
New:
- Added test: default gateway (Linux/BSD)
- Added boot tasks to report file (boottask)
- Added vulnerable packages to report file (vulnerable_package)
Changes:
- Fixed some typos
- Several improvements in log output
- Changed display of operating system version (Linux)
- Fixed PHP check
--
* 1.0.9 (2008-03-24)
New:
- Added --quiet option (currently not 100% quiet yet)
- Added a spec file to the project page (see web site)
- Added small INSTALL document
Changes:
- Changed check for PHP (php.ini location)
- Added available shells from /etc/shells to report file
- Updated man page
- Fixed option in main help window for --man option
- Code improvement, splitting up sections to seperated files
--
* 1.0.8 (2008-02-10)
New:
- Added pf filter rule test
- Added our PID to PID file
- Added warnings, real users, mount points, total tests to report file
Changes:
- Changed Apache configuration file test
- Changed old temporary files check
- Changed test to include ubuntu security repository
- Moved UID check to avoid PID creation as non root user
- Moved most functions to seperated files and several code cleanups
- Improved logging output
- Extended FreeBSD (Copyright file) test
- Changed indentation for many tests
- Changed some typos in notice/warning messages
--
* 1.0.7 (2008-01-28)
New:
- Test: UFS mount point check (FreeBSD)
- Test: Check swap partitions (FreeBSD)
- Test: find old files in /tmp
- Test: check presence iptables
- Test: check CPU PAE/NX support (Linux)
- Added profile options check
- Added option to skip Debian security repository check (profile option)
- Support for Red Hat and CentOS
Changes:
- Changed report log location to /var/log instead of current work directory
- Changed --help (and -h) to display general help, instead of man page
- Renamed -man option to --man
- Extended profile file (see default.prf)
- Cleaned up code (rewritten several parts of static code to dynamic
functions)
- Added more comments to the program, for curious auditors, developers and
users. Also regrouped parts of text and cleaned useless white spaces.
- General program output improved (spaces, indentation)
- Logging extended
- Updated lynis.spec file (contrib)
- FAQ and README files extended and updated
Bugfixes:
- Changed postfix banner check (thanks to Henk Bokhoven for reporting)
- Extended skel directory test, with -A (ls) option to check hidden files
(used with most Linux variants)
Development:
- Added new mirror
- Updated year number in program and support files
- Added new function Display, to use indentation within lines
- Added function RemovePIDFile before some exit routines, to clean up PID file
- Extracted profile support, parameter support to seperated files
- Created file tests_ports_packages for Ports and Packages
- Deleted lynis.spec file, since it was not working and will be rewritten later
--
* 1.0.6 (2007-12-26)
New:
- Added Solaris real users test
- Added hostname check
Changes:
- Added chkconfig binary test and changed related services test
- Added 'xargs' to version checks, to replace unwanted chars
- Added more breaks to log file.
- Added sorting to rpm/dpkg listings
- FAQ extended
--
* 1.0.5 (2007-12-02)
New:
- Test: unique group names
- Test: unique group IDs
- Added check for rpm, chkrootkit and rkhunter binary
- Added function to cleanup at manual interrupt (INT)
- Support added to run Lynis as cronjob (--cronjob)
- Fedora support added
- Added umask 027, to tighten up file permissions
Changes:
- Changed FreeBSD ttys test
- Changed grpck test, to operate in read-only mode
- Changed Postfix test, to check for mail_name value as well
- Changed GPL line in script which said GPL v2
- Extended README
- Show latest update version, if available, at the end of the screen output
- Lots of code cleanup (see Development)
- Some log improvements
- Changed date notation in changelog to preferred European format (with dots
instead of slashes)
Development:
- New function (ShowResult) to avoid repeating the same result line
within the script for standard status values
- Moved program consts to file (include/consts)
- Moved functions to file (include/functions)
- Moved OS detection to file (include/osdetection)
- Added NEVERBREAK to avoid user input (cronjob support)
--
* 1.0.4 (2007-11-27)
New:
- Test: query real system users (FreeBSD/Linux)
- Added PID file usage, to warn for unclean program states.
- Added SSHd version test
Changes:
- Updated documentation
- Changed sticky bit test (/tmp), to skip symlinks
- Changed /etc/motd test, to skip symlinks
- More code cleanup
- Logging extended and improved
- Screen output slightly changed
--
* 1.0.3 (2007-11-19)
New:
- Added check for sockstat
- Test: added test for GRUB and password option
- Test: query listening ports (sockstat)
Changes:
- Fixed NTPd check (bug)
- Extended help for 'double installed package' check (BSD systems, pkg_info)
- Extended Debian kernel update check
- Improved OpenBSD support
- Improved Linux specific detection support (Cobalt, CPU Builders, Debian,
E-Smith, Slackware, SuSE/OpenSuSE, Turbo Linux, Yellowdog and others)
- Improved screen output
- Extended logging, with status/impact flags
- [Bugfix] chkconfig test improved
- [Bugfix] Fixed sticky bit test at Debian
- Extended documentation and changelog file
--
* 1.0.2 (2007-11-15)
New:
- Test: Added check for NTP daemon or client
- Test: file permissions (profile option)
- Added -Q (--quick) parameter, to run the program without needing user
input after every few sections.
Changes:
- Extended documentation (README file) and performed spell check
- Improved screen output (colors, parameter handling and display)
- Cleaned up source code and fixed some bad typos
- Added much more delimiter lines to logfile
- Added version numbers to logfile for used binaries/tools
- Updated list of parameters within Lynis help
--
* 1.0.1 (2007-11-12)
New:
- Test: check Exim configuration file location
- Test: added memory check (/proc/meminfo)
- Test: run grpck to check group files (if available)
- Test: boot option check for OpenBSD boot loader
- Test: check if pf (Software: firewall) is active
- Test: check LILO password
- Test: check presence of old distfiles (FreeBSD)
- Added check for binaries: httpd, kldstat, openssl, (s)locate
- Added version check for: exim, openssl
- Added -V (--version) parameter, to show version number
- Added breaks between tests
Changes:
- [bug] Changed skel directory check
- Fixed display Apache configuration file
--
* 1.0.0 (2007-11-08)
New:
- Support for CentOS (Tested: 5 Final)
- Support for Debian (Tested: 4.0)
- Support for FreeBSD (Tested: 6.2)
- Support for Mac OS X (Tested: 10.4)
- Test: Apache (ServerTokens option)
- Test: PHP (expose_php option)
- Test: Postfix (smtpd_banner option)
- Test: check valid shells
- Test: query pkg_info/RPM based systems
- Test: query pkg_info for double installed packages
- Test: query chkprintcap (FreeBSD)
- Test: scan binary directories
- Test: check administrator accounts
- Test: check permissions /etc/motd
- Test: read nameservers from /etc/resolv.conf
- Test: query nameservers and test connectivity
- Test: check promiscuous interfaces (FreeBSD)
- Test: check sticky bit on /tmp directory
- Test: check debian.org security brance in /etc/apt/sources.list
- Test: check kernel update on Debian
- Test: query default Linux run level
- Test: query chkconfig to see which services start at boot
- Test /etc/COPYRIGHT banner check for FreeBSD
- Support for program parameters
- Builtin integrity checks
- Color enhanced output for readability
- Support for profiles/templates
- Report file creation (for reporting/monitoring)
- Extended logfile creation (with system suggestions)
- Added lynis.spec file for RPM creation
- Created project page at website
- Added documentation (README), ToDo list (TODO)
- Man page lynis(8)
Changes:
- No changes
Bugfixes:
- No bugfixes
================================================================================
Lynis - Copyright 2007-2012, Michael Boelen - The Netherlands
http://www.rootkit.nl