tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-04-08 17:15:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Preparing for 2.2.0 release

Browse Source
This commit is contained in:
mboelen 2016-03-17 13:35:55 +01:00
parent c7b9c21339
commit 057b41265a
1 changed files with 103 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
CHANGELOG
View File

@ -5,7 +5,8 @@
================================================================================
Author: Michael Boelen, CISOfy (michael.boelen@cisofy.com)
Author: Michael Boelen (2007-2013)
CISOfy (2013-2016)
Description: Security and system auditing tool
Website: https://cisofy.com/lynis/
GitHub: https://github.com/CISOfy/lynis
@ -17,18 +18,43 @@
================================================================================
= Lynis 2.1.x (development version for 2.2.x) =
*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE ***
= Lynis 2.2.0 (pre-release) =
We are proud to present this new release of Lynis. It is a major upgrade, and the
result of many months of work. This version includes new features and tests, and
many small enhancements, to improve the tool. We encourage all to test and
upgrade to this latest release.
many small enhancements. We encourage all to test and upgrade to this latest
release.
* Highlights
------------
The biggest change in this release is the optimization of several functions. It
allows for better detection, and dealing with the quirks, of every single
operating system. Some functions were fortified to better handle unexcepted
results, like missing a particular binary, or not receiving a hostname.
This release enables also tests to be shorter, by adding new functions. Some
functions were renamed or slightly changed, to provide more value to the tooling.
Another big change in this release is a wide set of optimizations and quality
testing. Outdated pieces were removed, or rewritten, to support features seen in
newer distributions.
On the level of compliance adjustments have been made to start supporting more
in-depth testing for this. Ideal for companies who have a particular compliance
need, or want to better enforce the system hardening levels of their systems.
Last but not least, many small changes make this software easier to use. On
our website we added new guides to provide help and support.
We like to specifically thank Kamil Boratyński, Steve Bosek, and Eric Light.
Their contributions helped us greatly shaping this release.
Below are the changes per category:
* Automation tools
------------------
CFEngine detection has been further extended. Additional logging and reporting of automation tools.
Detection for CFEngine has been improved. Also additional logging and reporting
of automation tools.
* Authentication
----------------
@ -40,11 +66,18 @@ will be gathered and added to the report [AUTH-9234].
New plugin is introduced to analyze PAM settings. It including items like:
- Two-factor authentication methods
- Minimum password length, password strength and protection status against brute force cracking
- Minimum password length, password strength and protection status against brute
force cracking
- Password history
Report option: auth_failed_logins_logged
* Boot
------
Added detection for Mac OSX boot loader. Initial support to test UEFI settings,
including Secure Boot option. Options boot_uefi_booted and
boot_uefi_booted_secure added to report file
* Compliance
------------
This release prepares for upcoming extensions to assist with compliance testing.
@ -63,9 +96,11 @@ to these particular standards.
* DNS and Name services
-----------------------
Support added for Unbound DNS caching tool [NAME-4034]
Configuration check for Unbound [NAME-4036]
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
Support added for Unbound DNS caching tool [NAME-4034], including a configuration
check [NAME-4036].
Record if a name caching utility is being used like nscd or Unbound. Also logging
to report as field name_cache_used
* Firewalls
-----------
@ -84,34 +119,43 @@ are any rules configured.
Renamed FIRE-4511 to FIRE-4502.
* File Integrity Monitoring
---------------------------
Test added to include osqueryd as a supported tool.
* Hardware
----------
Detection of firewire is enhanced (both ohci and core detected).
* Logging
---------
Extended the test syslog-ng logging to remote systems
Extended the test syslog-ng logging to remote systems. The log Lynis itself
produces is also enhanced, to be more detailed for several tests.
* Malware
---------
ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners
are also logged to the report.
* Mount points
--------------
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
FILE-6374 is expanded to test for multiple common mount points and define best
practice mount flags.
* Networking
------------
NETW-2600 collects IPv6 configuration and best practices for Linux.
NETW-3004 now collects network interface names from most common operating systems.
Best practices for IPv6 configuration on Linux are now collected. Also network
interface names from most operating systems.
* Operating systems
-------------------
Improved support for Debian 8 systems. Detection for VMware release has been added.
Boot loader exception is not longer displayed when only a subset of tests is performed.
FreeBSD systems can now use service command to gather information about enabled services.
Improved support for Debian 8 systems. Detection for VMware release has been
added. Boot loader exception is not longer displayed when only a subset of tests
is performed. FreeBSD systems can now use service command to gather information
about enabled services.
Support for boot loader detection on Mac OS X
Several paths have been added to allow better detection on systems running
FreeBSD and others.
* Passwords
-----------
@ -119,7 +163,12 @@ AUTH-9286 change has been extended to both capture minimum and password age.
* Proxy support
---------------
A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS proxy.
A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS
proxy.
* Service Managers
------------------
SystemV init is now detected.
* Software and Packages
-----------------------
@ -130,18 +179,16 @@ PKGS-7354 (integrity tests).
* SSH
-----
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
* UEFI and Secure Boot
----------------------
Initial support to test UEFI settings, including Secure Boot option
Options boot_uefi_booted and boot_uefi_booted_secure added to report file
Multiple configuration tests of SSH are now merged into SSH-7408. This enables
easier testing later on and reduces repetition.
* Virtual machines and Containers
---------------------------------
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
Check file permissions for Docker files, like socket file [CONT-8108]
Detection of virtual machines has been extended in several ways. Now VMware tools
(vmtoolsd) are detected and machine state is improved with tools like Puppet
Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it
before gave error as it found directory /usr/libexec/docker. Check file
permissions for Docker files, like the socket file [CONT-8108].
* Individual tests
------------------
@ -149,27 +196,35 @@ Check file permissions for Docker files, like socket file [CONT-8108]
[AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9234] Support for AIX added
[AUTH-9288] Test for expired passwords
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also
includes improved logging, and support for other operating systems.
[BOOT-5104] Rewrote test to detect SysV init and other service managers
[BOOT-5106] New test to test boot loader on Mac OS X
[BOOT-5180] Only gets executed if runlevel 2 is found
[CONT-8108] New test to test for Docker file permissions
[DBS-1816] Removed suggestion
[FILE-6310] Add more details to test when a symlinked path has been found
[FILE-6410] Added /var/lib/locatedb as search path
[FINT-4338] Added osquery test
[FIRE-4508] Added chains test for iptables
[FIRE-4511] Renamed to FIRE-4502
[FIRE-4536] Support for nftables detection
[FIRE-4538] Basic configuration check for for nftables
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[HTTP-6622] Determine Apache version and log to report
[HTTP-6624] Ignore wildcard and default entries as ServerName for Apache
[LOGG-2154] Additional support for log destinations for syslog-ng
[PKGS-7308] Split package name and version for RPM based package manager
[PKGS-7350] Support for querying installed packages via Fedora DNF package manager (Dandified YUM)
[PKGS-7352] Query security notices for DNF
[PKGS-7354] Perform integrity tests for package database (DNF)
[MALW-3278] New test to detect LMD (Linux Malware Detect)
[NAME-4406] Changed logic for localhost check and more detailed logging
[NETW-2600] IPv6 configuration check for Linux
[NETW-3032] Added ARP monitoring software test
[PKGS-7308] Split package name and version for RPM based package manager
[PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM)
[PKGS-7352] Query security notices for DNF
[PKGS-7354] Perform integrity tests for package database (DNF)
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured
[TIME-3170] New test to check NTP configuration files
* Functions
-----------
@ -183,7 +238,8 @@ Check file permissions for Docker files, like socket file [CONT-8108]
[RandomString] Creates a random string of characters
[RemoveTempFiles] Remove any created temporary files
[Report] Replaces the older report function
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
[ReportSuggestion] Allows two additional parameters to store details
(text and external reference to a solution)
[ReportWarning] Like ReportSuggestion() has additional parameters
[ShowComplianceFinding] Display compliance findings
[ShowSymlinkPath] Ensure readlink is available
@ -191,21 +247,24 @@ Check file permissions for Docker files, like socket file [CONT-8108]
* General improvements
----------------------
- When using pentest mode, it will continue without any delays (=quick mode).
- Plugins execution is improved, with improved logged and counting of active plugins.
- Plugins execution is improved, with improved logged and counting of active
plugins.
- Data uploads: provide help when self-signed certificates are used.
- Improved output for tests which before showed results as a warning, while actually are just suggestions.
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
- Improved output for tests which before showed results as a warning, while
actually are just suggestions.
- Lynis now uses different exit codes, depending on errors or finding warnings.
This helps with automation and any custom scripting you want to apply.
- Preparations to allow compressing the Lynis report file and enhance uploads.
- Added --config option to show what settings file or profile is used.
- Tool tips are displayed, to make Lynis even easier to use.
- Show a warning if the release is older than 4 months.
- PID file has additional checks, including cleanups.
* Special thanks
----------------
We like to specifically thank Kamil Boratyński for his contributions to this release.
* Plugins
---------
[PAM] New plugin available in all versions of Lynis
[PLGN-2602] Replaced mktemp commands with CreateTempFile function
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
--------------------------------------------------------------