From 057b41265a31d02dee1ae935f0e8a9f04ec866ba Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 17 Mar 2016 13:35:55 +0100 Subject: [PATCH] Preparing for 2.2.0 release --- CHANGELOG | 147 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 103 insertions(+), 44 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index d8027cbf..07465e72 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,7 +5,8 @@ ================================================================================ - Author: Michael Boelen, CISOfy (michael.boelen@cisofy.com) + Author: Michael Boelen (2007-2013) + CISOfy (2013-2016) Description: Security and system auditing tool Website: https://cisofy.com/lynis/ GitHub: https://github.com/CISOfy/lynis @@ -17,18 +18,43 @@ ================================================================================ -= Lynis 2.1.x (development version for 2.2.x) = - -*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE *** += Lynis 2.2.0 (pre-release) = We are proud to present this new release of Lynis. It is a major upgrade, and the result of many months of work. This version includes new features and tests, and -many small enhancements, to improve the tool. We encourage all to test and -upgrade to this latest release. +many small enhancements. We encourage all to test and upgrade to this latest +release. + +* Highlights +------------ +The biggest change in this release is the optimization of several functions. It +allows for better detection, and dealing with the quirks, of every single +operating system. Some functions were fortified to better handle unexcepted +results, like missing a particular binary, or not receiving a hostname. + +This release enables also tests to be shorter, by adding new functions. Some +functions were renamed or slightly changed, to provide more value to the tooling. +Another big change in this release is a wide set of optimizations and quality +testing. Outdated pieces were removed, or rewritten, to support features seen in +newer distributions. + +On the level of compliance adjustments have been made to start supporting more +in-depth testing for this. Ideal for companies who have a particular compliance +need, or want to better enforce the system hardening levels of their systems. + +Last but not least, many small changes make this software easier to use. On +our website we added new guides to provide help and support. + +We like to specifically thank Kamil Boratyński, Steve Bosek, and Eric Light. +Their contributions helped us greatly shaping this release. + + +Below are the changes per category: * Automation tools ------------------ -CFEngine detection has been further extended. Additional logging and reporting of automation tools. +Detection for CFEngine has been improved. Also additional logging and reporting +of automation tools. * Authentication ---------------- @@ -40,11 +66,18 @@ will be gathered and added to the report [AUTH-9234]. New plugin is introduced to analyze PAM settings. It including items like: - Two-factor authentication methods -- Minimum password length, password strength and protection status against brute force cracking +- Minimum password length, password strength and protection status against brute + force cracking - Password history Report option: auth_failed_logins_logged +* Boot +------ +Added detection for Mac OSX boot loader. Initial support to test UEFI settings, +including Secure Boot option. Options boot_uefi_booted and +boot_uefi_booted_secure added to report file + * Compliance ------------ This release prepares for upcoming extensions to assist with compliance testing. @@ -63,9 +96,11 @@ to these particular standards. * DNS and Name services ----------------------- -Support added for Unbound DNS caching tool [NAME-4034] -Configuration check for Unbound [NAME-4036] -Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used +Support added for Unbound DNS caching tool [NAME-4034], including a configuration +check [NAME-4036]. + +Record if a name caching utility is being used like nscd or Unbound. Also logging +to report as field name_cache_used * Firewalls ----------- @@ -84,34 +119,43 @@ are any rules configured. Renamed FIRE-4511 to FIRE-4502. +* File Integrity Monitoring +--------------------------- +Test added to include osqueryd as a supported tool. + * Hardware ---------- Detection of firewire is enhanced (both ohci and core detected). * Logging --------- -Extended the test syslog-ng logging to remote systems +Extended the test syslog-ng logging to remote systems. The log Lynis itself +produces is also enhanced, to be more detailed for several tests. * Malware --------- -ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report. +ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners +are also logged to the report. * Mount points -------------- -FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. +FILE-6374 is expanded to test for multiple common mount points and define best +practice mount flags. * Networking ------------ -NETW-2600 collects IPv6 configuration and best practices for Linux. -NETW-3004 now collects network interface names from most common operating systems. +Best practices for IPv6 configuration on Linux are now collected. Also network +interface names from most operating systems. * Operating systems ------------------- -Improved support for Debian 8 systems. Detection for VMware release has been added. -Boot loader exception is not longer displayed when only a subset of tests is performed. -FreeBSD systems can now use service command to gather information about enabled services. +Improved support for Debian 8 systems. Detection for VMware release has been +added. Boot loader exception is not longer displayed when only a subset of tests +is performed. FreeBSD systems can now use service command to gather information +about enabled services. -Support for boot loader detection on Mac OS X +Several paths have been added to allow better detection on systems running +FreeBSD and others. * Passwords ----------- @@ -119,7 +163,12 @@ AUTH-9286 change has been extended to both capture minimum and password age. * Proxy support --------------- -A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS proxy. +A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS +proxy. + +* Service Managers +------------------ +SystemV init is now detected. * Software and Packages ----------------------- @@ -130,18 +179,16 @@ PKGS-7354 (integrity tests). * SSH ----- -Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition. - -* UEFI and Secure Boot ----------------------- -Initial support to test UEFI settings, including Secure Boot option -Options boot_uefi_booted and boot_uefi_booted_secure added to report file +Multiple configuration tests of SSH are now merged into SSH-7408. This enables +easier testing later on and reduces repetition. * Virtual machines and Containers --------------------------------- -Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools -like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. -Check file permissions for Docker files, like socket file [CONT-8108] +Detection of virtual machines has been extended in several ways. Now VMware tools +(vmtoolsd) are detected and machine state is improved with tools like Puppet +Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it +before gave error as it found directory /usr/libexec/docker. Check file +permissions for Docker files, like the socket file [CONT-8108]. * Individual tests ------------------ @@ -149,27 +196,35 @@ Check file permissions for Docker files, like socket file [CONT-8108] [AUTH-9230] Removed test as it was merged into AUTH-9228 [AUTH-9234] Support for AIX added [AUTH-9288] Test for expired passwords -[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. +[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also + includes improved logging, and support for other operating systems. +[BOOT-5104] Rewrote test to detect SysV init and other service managers [BOOT-5106] New test to test boot loader on Mac OS X [BOOT-5180] Only gets executed if runlevel 2 is found [CONT-8108] New test to test for Docker file permissions +[DBS-1816] Removed suggestion +[FILE-6310] Add more details to test when a symlinked path has been found [FILE-6410] Added /var/lib/locatedb as search path +[FINT-4338] Added osquery test [FIRE-4508] Added chains test for iptables [FIRE-4511] Renamed to FIRE-4502 [FIRE-4536] Support for nftables detection [FIRE-4538] Basic configuration check for for nftables [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox +[HTTP-6622] Determine Apache version and log to report +[HTTP-6624] Ignore wildcard and default entries as ServerName for Apache [LOGG-2154] Additional support for log destinations for syslog-ng -[PKGS-7308] Split package name and version for RPM based package manager -[PKGS-7350] Support for querying installed packages via Fedora DNF package manager (Dandified YUM) -[PKGS-7352] Query security notices for DNF -[PKGS-7354] Perform integrity tests for package database (DNF) [MALW-3278] New test to detect LMD (Linux Malware Detect) +[NAME-4406] Changed logic for localhost check and more detailed logging [NETW-2600] IPv6 configuration check for Linux [NETW-3032] Added ARP monitoring software test +[PKGS-7308] Split package name and version for RPM based package manager +[PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM) +[PKGS-7352] Query security notices for DNF +[PKGS-7354] Perform integrity tests for package database (DNF) [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) -[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running -[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable +[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured +[TIME-3170] New test to check NTP configuration files * Functions ----------- @@ -183,7 +238,8 @@ Check file permissions for Docker files, like socket file [CONT-8108] [RandomString] Creates a random string of characters [RemoveTempFiles] Remove any created temporary files [Report] Replaces the older report function -[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) +[ReportSuggestion] Allows two additional parameters to store details + (text and external reference to a solution) [ReportWarning] Like ReportSuggestion() has additional parameters [ShowComplianceFinding] Display compliance findings [ShowSymlinkPath] Ensure readlink is available @@ -191,21 +247,24 @@ Check file permissions for Docker files, like socket file [CONT-8108] * General improvements ---------------------- - When using pentest mode, it will continue without any delays (=quick mode). -- Plugins execution is improved, with improved logged and counting of active plugins. +- Plugins execution is improved, with improved logged and counting of active + plugins. - Data uploads: provide help when self-signed certificates are used. -- Improved output for tests which before showed results as a warning, while actually are just suggestions. -- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply. +- Improved output for tests which before showed results as a warning, while + actually are just suggestions. +- Lynis now uses different exit codes, depending on errors or finding warnings. + This helps with automation and any custom scripting you want to apply. - Preparations to allow compressing the Lynis report file and enhance uploads. +- Added --config option to show what settings file or profile is used. - Tool tips are displayed, to make Lynis even easier to use. +- Show a warning if the release is older than 4 months. - PID file has additional checks, including cleanups. -* Special thanks ----------------- -We like to specifically thank Kamil Boratyński for his contributions to this release. * Plugins --------- [PAM] New plugin available in all versions of Lynis +[PLGN-2602] Replaced mktemp commands with CreateTempFile function [PLGN-2804] Limit report output of EXT file systems to 1 item per line --------------------------------------------------------------