Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
security
lynis
lynis.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File lynis.changes of Package lynis
------------------------------------------------------------------- Sun Mar 17 11:15:28 UTC 2024 - Robert Frohl <rfrohl@suse.com> - Update to 3.1.1: * Added - Detection of ArcoLinux * Changed - DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf) - DBS-1882 - Check /snap directory location for Redis configuration file ------------------------------------------------------------------- Mon Mar 11 10:21:40 UTC 2024 - Robert Frohl <rfrohl@suse.com> - Update to 3.1.0: * Added - Translation: Indonesian * Changed - MALW-3280 - Correction to detect com.avast.daemon - OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky" - Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 - STATUS_NOT_ACTIVE variable added to translation files - End-of-life dates updated - Fixing missing or erroneous test number comments - Detection of SentinelOne corrected - Wazuh for file integrity and tooling - Updated parsing output of arch-audit - Added support for SentinelOne detection - Replacing deprecated option -i for xargs - Path detection for PostgreSQL improved - Updated additional_module_blacklist_locations.patch ------------------------------------------------------------------- Fri Mar 1 11:34:54 UTC 2024 - pgajdos@suse.com - Use %patch -P N instead of deprecated %patchN. ------------------------------------------------------------------- Sun Nov 12 09:54:02 UTC 2023 - Dirk Müller <dmueller@suse.com> - add missing gawk dependency ------------------------------------------------------------------- Thu Aug 3 12:56:11 UTC 2023 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.9: * Changed - DBS-1820 - Added newer style format for Mongo authorization setting - FILE-6410 - Locations added for plocate - SSH-7408 - Only test Compression if sshd version < 7.4 - Improved fetching timestamp - Minor changes such as typos ------------------------------------------------------------------- Tue May 17 14:00:34 UTC 2022 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.8: * Added - MALW-3274 - Detect McAfee VirusScan Command Line Scanner - PKGS-7346 Check Alpine Package Keeper (apk) - PKGS-7395 Check Alpine upgradeable packages - EOL for Alpine Linux 3.14 and 3.15 * Changed - AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2) - FILE-7524 - Test enhanced to support symlinks - HTTP-6643 - Support ModSecurity version 2 and 3 - KRNL-5788 - Only run relevant tests and improved logging - KRNL-5820 - Additional path for security/limits.conf - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) - KRNL-5830 - Add a presence check for /boot/vmlinuz - PRNT-2308 - Bugfix that prevented test from storing values correctly - Extended location of PAM files for AARCH64 - Some messages in log improved - accepted upstream, removed additional_paths_security-limits.patch ------------------------------------------------------------------- Fri Feb 4 10:08:03 UTC 2022 - Robert Frohl <rfrohl@suse.com> - cover /usr/etc/security/limits.conf too (boo#1194446) added additional_paths_security-limits.patch ------------------------------------------------------------------- Tue Jan 18 13:29:42 UTC 2022 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.7: * Added - MALW-3290 - Show status of malware components - OS detection for RHEL 6 and Funtoo Linux - Added service manager openrc * Changed - DBS-1804 - Added alias for MariaDB - FINT-4316 - Support for newer Ubuntu versions - MALW-3280 - Added Trend Micro malware agent - NETW-3200 - Allow unknown number of spaces in modprobe blacklists - PKGS-7320 - Support for Garuda Linux and arch-audit - Several improvements for busybox shell - Russian translation of Lynis extended - replace 0x429A566FD5B79251 with 0x9DE922F1C2FDE6C4 in lynis.keyring according to https://packages.cisofy.com/ - update additional_module_blacklist_locations.patch ------------------------------------------------------------------- Wed Oct 13 14:35:34 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Add additional_module_blacklist_locations.patch to check fo blacklisted modules under /usr/lib/modules.d ------------------------------------------------------------------- Mon Oct 11 06:45:59 UTC 2021 - Paolo Stivanin <info@paolostivanin.com> - Update to 3.0.6: * Added - OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS - Check for outdated translation files * Changed - DBS-1826 - Check if PostgreSQL is being used - DBS-1828 - Test multiple PostgreSQL configuration file(s) - KRNL-5830 - Sort kernels by version instead of modification date - PKGS-7410 - Don't show exception for systems using LXC - GetHostID function: fallback options added for Linux systems - Fix: show correct text when egrep is missing - Fix: variable name for PostgreSQL ------------------------------------------------------------------- Thu Sep 16 08:59:23 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Changed tests_binary_rpath to subtract points for files found with RPATH set, not add points for files that are configured correctly. This resulted in a huge number of points that skewed the overal result ------------------------------------------------------------------- Sat Jul 3 11:54:47 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - fix SLE 12 build ------------------------------------------------------------------- Fri Jul 2 12:56:40 UTC 2021 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.5 * Added - OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux - CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot attacks (Linux) * Changed - ACCT-9622 - Corrected typo - HRDN-7231 - When calling wc, use the short -l flag instead of --lines (Busybox compatibility) - PKGS-7320 - extended to Arch Linux 32 - Generation of host identifiers (hostid/hostid2) extended - Linux host identifiers are now using ip as preferred input source - Improved logging in several areas ------------------------------------------------------------------- Tue May 11 12:43:28 UTC 2021 - Johannes Segitz <jsegitz@suse.com> - Update to 3.0.4 * Added - ACCT-9670 - Detection of cmd tooling - ACCT-9672 - Test cmd configuration file - BOOT-5140 - Check for ELILO boot loader presence - OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others * Changed - BOOT-5104 - Add service manager detection support for runit - FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist - FIRE-4540 - Corrected nftables empy ruleset test - LOGG-2138 - Do not check for klogd when metalog is being used - TIME-3185 - Improved support for Debian stretch - Corrected issue when Lynis is not executed directly from lynis directory ------------------------------------------------------------------- Thu Jan 7 16:38:00 UTC 2021 - Alexandros Toptsoglou <atoptsoglou@suse.com> - Update to 3.0.3 * Added - Check for registered non-native binary formats - OS detection of Parrot GNU/Linux * Changed - Force test to check only password authentication - Support for NetBSD * Fixed: command 'configure settings' did not work as intended ------------------------------------------------------------------- Mon Jan 4 09:13:29 UTC 2021 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.2 * Added - Scan for locked user accounts in /etc/passwd - Loghost configuration - Check for active Suricata daemon - OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS - OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others - EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11 - Support for Solaris svcs (service manager) - Enumeration of Solaris services * Changed - Detect sysstat systemd unit - Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined - Support for Solaris - Improved reboot test by ignoring known bad values - Ignore rescue kernel such as on CentOS systems - Detection of Alpine Linux kernel - Compatibility change for hostname check - Support for Solaris - Don't show exception if no kernels were found on the disk - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux - HostID: Use first e1000 interface and break after match - Translations extended and updated - Test if pgrep exists before using it - Better support for busybox shell - Small code enhancements ------------------------------------------------------------------- Fri Nov 13 09:42:44 UTC 2020 - Johannes Segitz <jsegitz@suse.com> - Add a Requires for net-tools-deprecated, as legacy binary binaries are still used by some of the custom lynis tests we ship. Later on I'll port them to use current binaries and remove this again ------------------------------------------------------------------- Mon Oct 5 13:50:24 UTC 2020 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.1 * Added - Detection of Alpine Linux - Detection of CloudLinux - Detection of Kali Linux - Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS - Detection of PHP 7.4 - Malware detection tool: Microsoft Defender ATP - New flag: --slow-warning to allow tests more time before showing a warning - Test TIME-3185 to check systemd-timesyncd synchronized time - rsh host file permissions * Changed - Added option for LOCKED accounts and bugfix for older bash versions - Presence check for grub.d added - Added support for certificates in DER format - Added data to report - Redirect errors (e.g. when swap is not encrypted) - Don't grep nonexistant modprobe.d files - Set initial firewall state - Corrected text on screen - Handle zipped kernel configuration correctly - Improved version detection for non-symlinked kernel - Extended detection of BitDefender - Find more time synchronization commands - Corrected detection of time peers - Fix: hostid generation routine would sometimes show too short IDs - Fix: language detection - Generic improvements for macOS - German translation updated - End-of-life database updated ------------------------------------------------------------------- Thu Jun 18 12:17:36 UTC 2020 - Robert Frohl <rfrohl@suse.com> - Update to 3.0.0 * Security issues - CVE-2020-13882: incorrect Access Control because of a TOCTOU race condition (boo#1173141). - CVE-2019-13033: local disclosure of license key when data is uploaded (boo#1173142). * Breaking change: Non-interactive by default - Lynis now runs non-interactive by default, to be more in line with the Unix philosophy. So the previously used '--quick' option is now default, and the tool will only wait when using the '--wait' option. * Breaking change: Deprecated options - Option: -c - Option: --check-update/--info - Option: --dump-options - Option: --license-key * Breaking change: Profile options - The format of all profile options are converted (from key:value to key=value). You may have to update the changes you made in your custom.prf. * Security - An important focus area for this release is on security. We added several measures to further tighten any possible misuse. * New: DevOps, Forensics, and pentesting mode - This release adds initial support to allow defining a specialized type of audit Using the relevant options, the scan will change base on the intended goal. - Further features, bug fixes and details about the release listed in https://raw.githubusercontent.com/CISOfy/lynis/3.0.0/CHANGELOG.md ------------------------------------------------------------------- Tue Jun 25 07:32:29 UTC 2019 - Robert Frohl <rfrohl@suse.com> - Update to 2.7.5 Added: * Danish translation * Slackware end-of-life information * Detect BSD-style (rc.d) init in Linux systems * Detection of Bro and Suricata (IDS) Changed: * Corrected end-of-life entries for CentOS 5 and 6 * Change name to check in /etc/passwd file for QNAP devices * AIX enhancement to use correct find statement * Filter on correct field for AIX * Set ss command as preferred option for Linux and changed output format * List of PHP ini file locations has been extended * Removed several pieces of the code as part of cleanup and code health * Extended help ------------------------------------------------------------------- Mon Jun 3 11:20:11 UTC 2019 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi> - Add more false-positive packages to Dbus database: tuned, autofs, lightdm, geoglue2, snapper and ModemManager ------------------------------------------------------------------- Wed May 29 11:47:34 UTC 2019 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi> - Add these common false-positive packages to Dbus database whitelist: FirewallD, SystemD and Wicked ------------------------------------------------------------------- Tue Apr 23 07:24:21 UTC 2019 - Robert Frohl <rfrohl@suse.com> - Update to 2.7.4 Added * FILE-6324 - Discover XFS mount points * INSE-8000 - Installed inetd package * INSE-8100 - Installed xinetd package * INSE-8102 - Status of xinet daemon * INSE-8104 - xinetd configuration file * INSE-8106 - xinetd configuration for inactive daemon * INSE-8200 - Usage of TCP wrappers * INSE-8300 - Presence of rsh client * INSE-8302 - Presence of rsh server * Detect equery binary detection * New 'generate' command Changed * AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems * PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages * PKGS-7420 - Detect toolkit to automatically download and apply upgrades * PKGS-7328 - Added global Zypper option --non-interactive * PKGS-7386 - Only show warning when vulnerable packages were discovered * PKGS-7392 - Skip test for Zypper-based systems * Minor changes to improve text output, test descriptions, and logging * Changed CentOS identifiers in end-of-life database * AIX enhancement for IsRunning function * Extended PackageIsInstalled function * Improve text output on AIX systems * Corrected lsvg binary detection ------------------------------------------------------------------- Thu Mar 21 12:11:32 UTC 2019 - Robert Frohl <rfrohl@suse.com> - update to 2.7.3 Added * Detection for Lynis being scheduled (e.g. cronjob) Changed * HTTP-6624 - Improved logging for test * KRNL-5820 - Changed color for default fs.suid_dumpable value * LOGG-2154 - Adjusted test to search in configuration file correctly * NETW-3015 - Added support for ip binary * SQD-3610 - Description of test changed * SQD-3613 - Corrected description in code * SSH-7408 - Increased values for MaxAuthRetries * Improvements to allow tailored tool tips in future * Corrected detection of blkid binary * Minor textual changes and cleanups ------------------------------------------------------------------- Thu Mar 7 11:54:18 UTC 2019 - Robert Frohl <rfrohl@suse.com> - update to 2.7.2 * Added support for doas (OpenBSD) * Added test file permissions of doas configuration * Added support for systemd-boot boot loader * Added simplify service filter and allow multiple dots in service names * Added check OpenBSD boot daemons * Added test permissions for boot files and scripts * Added support for end-of-life detection of the operating system * Added new 'lynis show eol' command * Multiple changes and improvements ------------------------------------------------------------------- Fri Feb 1 10:28:13 UTC 2019 - Robert Frohl <rfrohl@suse.com> - update to 2.7.1 * Improve support for Red Hat and clones * Additional support for Hands Off!, LuLu, and Radio Silence * Added MariaDB filter for deleted files (tested on CentOS) * Added /etc/bash.bashrc.local to umask check * Removed shift statement that did not work on all operating systems * Minor cleanups and enhancements * Small improvements to logging * Added translation for Slovak ------------------------------------------------------------------- Sat Oct 27 02:36:44 UTC 2018 - sean@suspend.net - update to 2.7.0 * added detection of TOMOYO binary (MACF-6240) * Status of TOMOYO framework updated (MACF-6242) * OpenSSH server version detected (SSH-7406) * Check active OSSEC analysis daemon (TOOL-5160) * Changed several warning labels on screen * More generic sulogin for systemd rescue (AUTH-9308) * OS detection now ignores quotes for getting the OS ID ------------------------------------------------------------------- Tue Oct 9 08:20:47 UTC 2018 - Robert Frohl <rfrohl@suse.com> - update to 2.6.9 * Man page has been updated * Command 'lynis show options' provides up-to-date list * Option '--dump-options' is deprecated * Several options and commands have been extended with more examples * OS detection now supports openSUSE specific distribution names * Changed command output when using 'lynis audit system remote' * added /usr/local/redis/etc path and QNAP support * ignore exception when no vmlinuz file was discovered ------------------------------------------------------------------- Thu Sep 20 13:04:11 UTC 2018 - astieger@suse.com - update to 2.6.8: * improved parsing of boot parameters to init process * test all PHP files for expose_php and improved logging * Docker check now tests also for CMD, ENTRYPOINT, and USER configuration * Improved display in Docker output for showing which keys are used for signing - includes changes from 2.6.7: * Added busybox as a service manager * Limit PAE and no-execute test to AMD64 hardware only * Ignore /dev/zero and /dev/[aio] as deleted files * Changed classification of SSH root login with keys * Docker scan uses new format for maintainer value - includes chagnes from 2.6.6: * Improved log text about running kernel version * Under some condition no hostid2 value was reported * Solved 'extra operand' issue with tr command ------------------------------------------------------------------- Wed Jun 27 08:42:31 UTC 2018 - astieger@suse.com - update to 2.6.5: * mail: Exim configuration test * network: Use FQDN to test status of a nameserver instead of own IP address * ssh: Improved test to allow configurations with a Match block - includes changes from 2.6.4: * auth: Made 'sulogin' more generic for systemd rescue shell * dns: Initial work on DNSSEC validation testing * network: Added support for local resolver 127.0.0.53 * php: Suhosin test disbled * ssh: Removed 'DELAYED' from OpenSSH Compression setting * time: Improvements to detect step-tickers file and entries - includes changes from 2.6.3: * crypt: Do prevalidation for certificates before testing them * hardening: Enhanced compiler permission test * name: Improved test to filter out empty lines * packages: changes to detect yum-utils package and related tooling * plugins: cron file permissions - includes changes from 2.6.2: * Textual changes for several tests * Update of tests database ------------------------------------------------------------------- Fri Jan 26 17:00:07 UTC 2018 - astieger@suse.com - update to 2.6.1: * New group 'usb' for tests related to USB devices * Updated and enhanced tests * Many bug fixes * output and UI fixes ------------------------------------------------------------------- Thu Jun 8 19:36:22 UTC 2017 - astieger@suse.com - Lynis 2.5.1: * Improved detection of SSL certificate files * Minor changes to improve logging and results * Firewall tests: Determine if CSF is in testing mode - includes changes from Lynis 2.5.0: * CVE-2017-8108: symlink attack may have allowed arbitrary file overwrite or privilege escalation (bsc#1043463) * Deleted unused tests from database file * Additional sysctls are tested * Extended test with Symantec components * Snort detection * Snort configuration file ------------------------------------------------------------------- Tue Apr 4 09:35:48 UTC 2017 - tuukka.pasanen@ilmi.fi - Lynis 2.4.8 (Changelog from 2.4.1) * More PHP paths added * Minor changes to text * Show atomic test in report * Added FileInstalledByPackage function (dpkg and rpm supported) * Mark Arch Linux version as rolling release (instead of unknown) * Support for Manjaro Linux * Escape files when testing if they are readable * Code cleanups * Allow host alias to be specified in profile * Code readability enhancements * Solaris support has been improved * Fix for upload function to be used from profile * Reduce screen output for mail section, unless --verbose is used * Code cleanups and removed 'update release' command * Colored output can now be tuned with profile (colors=yes/no) * Allow data upload to be set as a profile option * Properly detect SSH daemon version * Generic code improvements * Improved the update check and display * Finish, Portuguese, and Turkish translation * Extended support and tests for DragonFlyBSD * Option to configure hostid and hostid2 in profile * Support for Trend Micro and Cylance (macOS) * Remove comments at end of nginx configuration * Used machine ID to create host ID when no SSH keys are available * Added detection of iptables-save to binaries Tests: BANN-7126 - Added more words to test for CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler HTTP-6641 - Support detection for Apache module mod_reqtimeout PKGS-7388 - Minor change to detect security repositories CRYP-7902 - Test more certificates names, but only if they are not part of a package FILE-7524 - Reduce standard screen output for file permissions check MALW-3280 - Added Avira detection as a malware scanner NAME-4018 - Only perform name services test when resolv.conf file exists PKGS-7387 - Check all repositories if they use GPG signing SCHD-7704 - Permission checks TIME-3104 - Check permissions before open files AUTH-9328 - Add missing 0027 and 0077 umasks BOOT-5104 - Add initsplash and minor code enhancements DBS-1882 - Include Redis configuration file FIRE-4502 - Improved detection for iptables modules when using OpenVZ PKGS-7381 - Enhanced package audit for FreeBSD AUTH-9308 - Improved test for sulogin string (Debian systems) FILE-6372 - Properly deal with comment on lines in /etc/fstab MAIL-8817 - New test to check Postfix configuration for errors SSH-7408 - Corrected SSH check AUTH-9308 - Improved test for sulogin string MAIL-8818 - Test if Linux version is known before comparing in Postfix banner TIME-3116 - Skip stratum 16 items for time pools TIME-3148 - New test to detect TZ variable AUTH-9208 - Removed double logging AUTH-9222 - Improve logging for double groups AUTH-9226 - Improve logging for double groups BOOT-5177 - Sort systemctl unit files to make them unique DBS-1818 - New test to detect MongoDB DBS-1820 - New test for MongoDB authentication FIRE-4512 - Lowered minimum number of iptables firewall rules FIRE-4586 - Fix applied when searching for "-j LOG" HRDN-7222 - Changed reporting key of world executable compilers SSH-7408 - Added filtering for PermitRootLogin (prohibit-password, OpenSSH 7.0) FIRE-4586 - Check logging for firewall components KRNL-5788 - Remove exception and style improvements KRNL-5830 - Improved logging ------------------------------------------------------------------- Fri Nov 4 13:41:25 UTC 2016 - matthias.gerstner@suse.com - lynis 2.4.0 * Mainly improved support for macOS users * Support for CoreOS * Support for clamconf utility * Support for chinese translation * More sysctl values in the default profile * New commands: "upload-only", "show hostids", "show environment", "show os" ------------------------------------------------------------------- Wed Sep 28 11:45:44 UTC 2016 - astieger@suse.com - lynis 2.3.4 with various improvements, including: * Several tests have extended log details * Detection of nftables improved * Replaced cut, sed, tr and others commands with binary variable (for forensics and future intrusion checking capabilities) * OS detection improved ------------------------------------------------------------------- Thu Sep 15 14:44:27 UTC 2016 - astieger@suse.com - lynis 2.3.3 with many improvements and updates ------------------------------------------------------------------- Thu May 12 08:32:25 UTC 2016 - astieger@suse.com - lynis 2.2.0: * new features and tests, small enhancements * optimisation, better detection * dealing with OS quirks and unexcepted results * adjustments for supporting more compliance in-depth * Detection for CFEngine has been improved * now tries to determine if failed logins are properly logged * New plugin is introduced to analyze PAM settings * Initial support to test UEFI settings, including Secure Boot option. * Support added for Unbound DNS caching tool, configuration check * Record if a name caching utility is being used like nscd or Unbound. * Tests chains of iptables and their default policy (ACCEPT or DROP) * Support upcoming nftables technology (status check) * Test added to include osqueryd as a supported tool. * Detection of firewire is enhanced (both ohci and core detected). * Extended the test syslog-ng logging to remote systems. * ESET and LMD (Linux Malware Detect) have been added. * Discovered malware scanners are also logged to the report. * Eexpanded test for multiple common mount points and define best practice mount flags. * Best practices for IPv6 configuration on Linux are now collected. * Collect network interface names from most operating systems. * Password change test has been extended to both capture minimum and password age. * Add Proxu support * SystemV init is now detected. * Now information will be logged when vulnerable software packages were found. * Support for DNF (Dandified YUM) for Fedora systems has been added. * Multiple configuration tests of SSH merged. * Extend detection of virtual machines (VMware tools) * Machine state detection with Puppet, Facter, dmidecode, and lscpu * When using pentest mode, it will continue without any delays (=quick mode). * Improvements for automatic execution of Lynis * Upload improvements ------------------------------------------------------------------- Wed Jul 29 11:05:22 UTC 2015 - astieger@suse.com - lynis 2.1.1: * performance improvements * additional support for Linux distributions and external utilities * Apache module directory /usr/lib64/apache has been added, which is used on openSUSE. * various other improvements and bug fixes - update patches for contect changes: lynis_1.3.1_include_consts.diff, lynis_1.3.5_lynis.diff ------------------------------------------------------------------- Tue May 12 15:19:07 UTC 2015 - astieger@suse.com - lynis 2.1.0: * Screen output has been improved to provide additional information. * Core dump check on Linux is extended to check for actual values as well. * Software: + McAfee detection has been extended by detecting a running cma binary. + Security patch checking with zypper extended. * Session timeout: + Tests to determine shell time out setting have been extended + determine also if variable is exported as a readonly variable. + Related compliance section PCI DSS 8.1.8 has been extended. - includes changes from Lynis 2.0.0: * New feature: helpers * docker build file audit helper * Improved OS support * support systemd, docker, nftables * New parameters: + --dump-options (see all options) + --report-file (define a different location for the report file) - use tarball supplied default.prf - clean or silence rpmlint warnings ------------------------------------------------------------------- Tue Feb 17 12:32:20 UTC 2015 - astieger@suse.com - lynis 1.6.4: * New: + Boot loader detection for AIX + Detection of getcap and lsvg binary + Added filesystem_ext to report + Detect rootsh * Changes: + Hide errors when RPM database is faulty and show suggestion instead + Allow OpenBSD to gather information on listening network ports + Don't trigger warning for Shellshock when doing segfault test + Do not run Apache test on OpenBSD and strip control chars + Extended AIDE test with configuration validation test + Improved Shellshock test regarding non-Linux support + Added support for gathering volume groups on AIX + Properly parse PAM lines and add them to report + Support for boot loader detection on OpenBSD + Added uptime detection for OpenBSD systems + Support for volume groups on AIX + Redirect errors when searching for readlink binary - includes changes from 1.6.3: * New: + Added tests for Shellshock bash vulnerability + Added test to determine if Snoopy is used + New test for qdaemon configuration file + Test for GRUB boot loader password + New test for qdaemon printer jobs + Added ClamXav test for Mac OS X + Gentoo vulnerable packages test + New test for qdaemon status + Gentoo package listing + Running Lynis without root permissions will start non-privileged scan + Systemd service and timer example file added + Added grub2-install to binaries * Changes: + Adjustments so insecure SSL protocols are detected in nginx config + Directories will be skipped when searching for nginx log files + Only gather unique name servers from /etc/resolv.conf + Properly detect mod_evasive on Gentoo and others + Improved swap partition detection in /etc/fstab + Improvements to kernel detection (e.g. Gentoo) + Test for built-in security options in YUM + Improved boot loader detection for GRUB2 + Split GRUB test into two tests + Added Mac OS uptime check + Improved GetHostID function for systems having only ip binary + Improved testing for symlinked binary directories + Minor adjustments to log output + Renamed dev directory to extras - verify source signature - adjust permissions of items in /usr/share/lynis/include/consts to match those requested by main executable - run spec_cleaner ------------------------------------------------------------------- Sun Nov 16 00:39:00 UTC 2014 - Led <ledest@gmail.com> - fix bashisms in scripts ------------------------------------------------------------------- Wed Sep 24 16:36:21 UTC 2014 - citypw@gmail.com - Upgrade to version 1.6.2 - Remove files: * lynis_1.3.7_include-test-filesystem.diff( already fixed) * lynis-1.3.9.tar.gz ------------------------------------------------------------------- Thu Jan 9 18:45:44 UTC 2014 - saigkill@opensuse.org - updated to version 1.3.9 - removed patch * lynis_1.3.6_include-test-kernel.diff (fixed upstream) ------------------------------------------------------------------- Wed Dec 11 20:14:06 UTC 2013 - saigkill@opensuse.org - updated to version 1.3.7 - Changelog: * FileExists() and SearchItem() functions were added. The yum-security check and iptables binary check were improved, and the report was extended to show which tests have been executed or skipped - updated patch * lynis_1.3.7_include-test-filesystem.diff ------------------------------------------------------------------- Tue Dec 10 18:46:14 UTC 2013 - saigkill@opensuse.org - updated to version 1.3.6 - Removed patches (obsolete): * lynis_1.3.5_include_binaries.diff - Updated patches * lynis_1.3.6_include_osdetection.diff * lynis_1.3.6_include-test-kernel.diff ------------------------------------------------------------------- Sun Nov 24 14:29:06 UTC 2013 - saigkill@opensuse.org - updated to version 1.3.5 - Updated patches: o lynis_1.3.1_lynis.diff o lynis_1.3.1_include_binaries.diff o lynis_1.3.1_include-osdetection.diff o lynis_1.3.1_include-test-kernel.diff - Removed patches (obsolete) o lynis_1.3.1_include-test-databases.diff o lynis_1.3.1_include-test-storage.diff o lynis_1.3.1_include-test-homedirs.diff ------------------------------------------------------------------- Fri Jun 21 12:22:08 UTC 2013 - thomas@suse.com - fixed typo in prepare_for_suse.sh ------------------------------------------------------------------- Fri Jan 25 09:40:52 UTC 2013 - thomas@suse.com - fixed log message for dbus test - fixed bash variable incrementation that sneaked in the code ------------------------------------------------------------------- Mon Jan 14 14:57:15 UTC 2013 - thomas@suse.com - fixed tests_network_allowed_ports to increment index vars and not loop forever ------------------------------------------------------------------- Thu Jan 10 16:53:32 UTC 2013 - thomas@suse.com - fixed test_homedirs ------------------------------------------------------------------- Thu Jan 10 16:46:02 UTC 2013 - thomas@suse.com - some bugfixing for pathnames, didn't work with sudo - improved default.prf by adding more sysctl vars - fixed test_storage - generated fileperm.db and dbus-whitelist for 12.2 ------------------------------------------------------------------- Mon Dec 26 16:24:35 UTC 2011 - Sascha.Manns@open-slx.de - fixed conflict in spec ------------------------------------------------------------------- Mon Dec 26 16:18:01 UTC 2011 - Sascha.Manns@open-slx.de - updated to version 1.3.0 - from Changelog: - New: - Profile option: ignore_home_dir - TCP wrappers category added - Tooling category added - Initial extensions to support plugins in the future - Test for unpurged Debian packages [PKGS-7346] - Test for compiler permissions [HRDN-7222] - Changes: - Converted all dates to ISO format and updated copyright lines - Correct suggestion for file integrity tool [FINT-4350] - Added hint when RPM list is empty on DPKG based systems [PKGS-7308] - Changed logging for /etc/security/limits.conf file [KRNL-5820] - Fixed incorrect warning for single user mode [AUTH-9308] - Improved output for stratum 16 time servers [TIME-3116] - Added suggestion and screen output for kernel hardening [KRNL-6000] - Screen layout optimalizations and log file improvements - Improved list/layout of scan options - Improved binary check for compilers - Added configuration option in scan profile (show_tool_tips, default true) ------------------------------------------------------------------- Thu Apr 7 15:57:31 UTC 2011 - thomas@novell.com - added patch for apache2 and oracle detection ------------------------------------------------------------------- Fri Apr 1 22:00:13 UTC 2011 - saigkill@opensuse.org - removed rpmlintrc and fixed non-executable-script ------------------------------------------------------------------- Sun Dec 26 19:55:21 UTC 2010 - saigkill@opensuse.org - prettyfied spec file - NOTE: Please submit submitrequests to home:saigkill. This Package links to this Repository. ------------------------------------------------------------------- Fri Sep 3 05:41:52 UTC 2010 - thomas@novell.com - fixed %files section to include /etc/lynis ------------------------------------------------------------------- Fri Sep 3 05:12:43 UTC 2010 - thomas@novell.com - fixed %files section to reflect new default.prf location ------------------------------------------------------------------- Fri Sep 3 05:09:47 UTC 2010 - thomas@novell.com - added permdir /root/.gnupg to default.prf ------------------------------------------------------------------- Fri Sep 3 05:04:03 UTC 2010 - thomas@novell.com - copy default.prf to /etc/lynis/ instead of /etc/, otherwise lynis will not find it and hang ------------------------------------------------------------------- Thu Sep 2 11:32:50 UTC 2010 - thomas@novell.com - added %{_datadir}/%{name}/prepare_for_suse.sh ------------------------------------------------------------------- Thu Sep 2 10:56:55 UTC 2010 - thomas@novell.com - adjusted patch and spec file to make it build ------------------------------------------------------------------- Wed Sep 1 12:30:43 UTC 2010 - thomas@novell.com - put code from Matthias Weckbecker sec_check into lynis - adjusted lynis for opensuse - details: + tests_tmp_symlinks + tests_network_allowed_ports + tests_system_proc + tests_file_permissions_ww + tests_binary_rpath + tests_users_wo_password + tests_file_permissionsDB + tests_system_dbus ------------------------------------------------------------------- Wed Dec 16 05:19:37 UTC 2009 - saigkill@opensuse.org - updated to version 1.2.9 - added default.prf ------------------------------------------------------------------- Wed Dec 9 16:21:53 UTC 2009 - saigkill@opensuse.org - update to 1.2.8 ------------------------------------------------------------------- Mon Nov 2 18:16:38 UTC 2009 - saigkill@opensuse.org - update to 1.2.7 - This release adds AIX Support and several new tests related to SSH, logging, databases and SMTP. Many minor issues are solved or improved. ----------------------------------------------------------------- Mon Apr 6 09:04:05 CEST 2009 - saigkill@opensuse.org - update to 1.2.6 - This release has several new tests and test improvements, like a sudoers file permissions check, a core dumps configuration check for Linux, PHP tests, and an /etc/issue banner test. ----------------------------------------------------------------- Sat Mar 28 10:27:12 CET 2009 - saigkill@opensuse.org - update to 1.2.5 - This release adds 40+ new tests for services like Dovecot, BIND, PowerDNS, SSH, Exim, and nginx ----------------------------------------------------------------- Tue Mar 17 2009 20:32 CET - mrdocs@opensuse.org - added 1.2.4 release - This release adds more than 30 new tests, including NTP, auditd, PAM, NFS and ClamAV. ------------------------------------------------------------------ Mon Mar 02 22:32 CET 2009 - mrdocs@opensuse.org - 1.2.3 release see CHANGELOG for changes ------------------------------------------------------------------- Thu Feb 26 14:16:35 CET 2009 - pgajdos@suse.cz - removed patches: - passwd-args.patch - suppress-dpkg-error.patch - source repacked gz -> bz2 ------------------------------------------------------------------- Sun Feb 17 2009 - mrdocs@opensuse.org - 1.2.2 release - see CHANGELOG for changes ------------------------------------------------------------------ Mon Feb 16 03:15:44 CET 2009 - saigkill@opensuse.org - updated to Version 1.2.2 ------------------------------------------------------------------ Wed Jan 07 12:00:00 CET 2009 - saigkill@opensuse.org - fixed Rpmlint Errors - branched for Contrib ------------------------------------------------------------------ Wed Nov 10 12:00:00 CET 2008 - saigkill@opensuse.org - initial version using the buildservice
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor