diff --git a/CHANGELOG b/CHANGELOG index e04b0710..d8027cbf 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,7 +5,7 @@ ================================================================================ - Author: Michael Boelen (michael.boelen@cisofy.com) + Author: Michael Boelen, CISOfy (michael.boelen@cisofy.com) Description: Security and system auditing tool Website: https://cisofy.com/lynis/ GitHub: https://github.com/CISOfy/lynis @@ -32,8 +32,11 @@ CFEngine detection has been further extended. Additional logging and reporting o * Authentication ---------------- -Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes -checking for /etc/login.defs [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228. +Depending on the operating system, Lynis now tries to determine if failed logins +are properly logged. This includes checking for /etc/login.defs file [AUTH-9408]. +Merged previous password check for Solaris into test AUTH-9228. User ids on AIX +will be gathered and added to the report [AUTH-9234]. + New plugin is introduced to analyze PAM settings. It including items like: - Two-factor authentication methods @@ -44,8 +47,10 @@ Report option: auth_failed_logins_logged * Compliance ------------ -This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can b -Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards. +This release prepares for upcoming extensions to assist with compliance testing. +The profile has a new option, which can be used to define what standards should +be tested for, if any test is available. The related option is: +compliance_standards Right now these standards can be selected: - CIS benchmarks @@ -53,6 +58,9 @@ Right now these standards can be selected: - ISO27001/ISO27002 - PCI DSS +Note that additional tests will be implemented in future releases and then tagged +to these particular standards. + * DNS and Name services ----------------------- Support added for Unbound DNS caching tool [NAME-4034] @@ -109,9 +117,16 @@ Support for boot loader detection on Mac OS X ----------- AUTH-9286 change has been extended to both capture minimum and password age. +* Proxy support +--------------- +A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS proxy. + * Software and Packages ----------------------- -Log when vulnerable software packages were found +Now informationed will be logged when vulnerable software packages were found. +Support for DNF (Dandified YUM) for Fedora systems has been added. This is done +in several tests: PKGS-7350 (installed packages), PKGS-7352 (security notices), +PKGS-7354 (integrity tests). * SSH ----- @@ -132,6 +147,7 @@ Check file permissions for Docker files, like socket file [CONT-8108] ------------------ [AUTH-9204] Exclude NIS entries to avoid false positives [AUTH-9230] Removed test as it was merged into AUTH-9228 +[AUTH-9234] Support for AIX added [AUTH-9288] Test for expired passwords [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. [BOOT-5106] New test to test boot loader on Mac OS X @@ -145,6 +161,9 @@ Check file permissions for Docker files, like socket file [CONT-8108] [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox [LOGG-2154] Additional support for log destinations for syslog-ng [PKGS-7308] Split package name and version for RPM based package manager +[PKGS-7350] Support for querying installed packages via Fedora DNF package manager (Dandified YUM) +[PKGS-7352] Query security notices for DNF +[PKGS-7354] Perform integrity tests for package database (DNF) [MALW-3278] New test to detect LMD (Linux Malware Detect) [NETW-2600] IPv6 configuration check for Linux [NETW-3032] Added ARP monitoring software test @@ -154,6 +173,7 @@ Check file permissions for Docker files, like socket file [CONT-8108] * Functions ----------- +[CreateTempFile] Create a temporary file [DigitsOnly] New function to extract only numbers from a text string [DisplayManual] New function to show text on screen without any markup [ExitCustom] New function to allow program to exit with a different exit code, depending on outcome @@ -161,6 +181,7 @@ Check file permissions for Docker files, like socket file [CONT-8108] [IsWordWritable] Changed return codes for easier usage of the function [LogText] Replaces the older logtext function [RandomString] Creates a random string of characters +[RemoveTempFiles] Remove any created temporary files [Report] Replaces the older report function [ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) [ReportWarning] Like ReportSuggestion() has additional parameters @@ -170,6 +191,7 @@ Check file permissions for Docker files, like socket file [CONT-8108] * General improvements ---------------------- - When using pentest mode, it will continue without any delays (=quick mode). +- Plugins execution is improved, with improved logged and counting of active plugins. - Data uploads: provide help when self-signed certificates are used. - Improved output for tests which before showed results as a warning, while actually are just suggestions. - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.