diff --git a/CHANGELOG b/CHANGELOG index f53d4435..a0b49089 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,61 +17,84 @@ ================================================================================ - = Lynis 2.1.2 = + = Lynis 2.1.3 = This is an major release, which includes both new features and enhancements to existing tests. - * Operating systems - Improved support for Debian 8 - Don't show boot loader exception when a subset of tests is performed - - * Screen output - Improved output for tests which before showed results as a warning, while actually are just suggestions - - * Virtual machines - Detection of virtual machines extended with vmtoolsd detection - - * Mount points - FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. - - * Docker - Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker - - * UEFI and Secure Boot - Initial support to test UEFI settings, including Secure Boot option - Options boot_uefi_booted and boot_uefi_booted_secure added to report file + * Automation tools + ------------------ + CFEngine detection has been further extended. Additional logging and reporting of automation tools. * Authentication + ---------------- Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes - checking for /etc/login.defs [AUTH-9408] + checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228. report option: auth_failed_logins_logged - **** ^ NEEDS more tests ################################### * DNS and Name services + ----------------------- Support added for Unbound DNS caching tool [NAME-4034] Configuration check for Unbound [NAME-4036] Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used * Firewalls + ----------- IPFW firewall on FreeBSD test improved + Don't show pflogd status on screen when pf is not available + + * Malware + --------- + LMD (Linux Malware Detect) is now recognized as a malware scanner + + * Mount points + -------------- + FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. + + * Operating systems + ------------------- + Improved support for Debian 8 systems. + Boot loader exception is not longer displayed when only a subset of tests is performed. + FreeBSD systems can now use service command to gather information about enabled services. + + * UEFI and Secure Boot + ---------------------- + Initial support to test UEFI settings, including Secure Boot option + Options boot_uefi_booted and boot_uefi_booted_secure added to report file + + * Virtual machines and Containers + --------------------------------- + Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools + like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. + Check file permissions for Docker files, like socket file [CONT-8108] * Individual tests - BOOT-5180 now only gets executed if runlevel 2 is found - AUTH-9328 show correct message when no umask is found in /etc/profile, including correct logging entries - AUTH-9204 now excludes NIS entries to avoid false positives - TIME-3104 Only shows suggestion now on FreeBSD if ntpdate is configured, yet ntpd isn't running - FILE-6410 Added /var/lib/locatedb as search path + ------------------ + [AUTH-9204] Exclude NIS entries to avoid false positives + [AUTH-9230] Removed test as it was merged into AUTH-9228 + [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. + [BOOT-5180] Only gets executed if runlevel 2 is found + [CONT-8108] New test to test for Docker file permissions + [FILE-6410] Added /var/lib/locatedb as search path + [MALW-3278] New test to detect LMD (Linux Malware Detect) + [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) + [TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running - Don't wait when using pentest mode in quick mode - Data uploads: provide help when self-signed certificates are used - - - - 8888888888888888888888888 - implement base64 - 8888888888888888888888888 + * Functions + ----------- + [ExitCustom] New function to allow program to exit with a different exit code, depending on outcome. + [ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) + [ReportWarning] Like ReportSuggestion() has additional parameters + * General improvements + ---------------------- + - When using pentest mode, it will continue without any delays (=quick mode) + - Data uploads: provide help when self-signed certificates are used + - Improved output for tests which before showed results as a warning, while actually are just suggestions + - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any + custom scripting you want to apply + - Tool tips are displayed, to make Lynis even easier to use + - PID file has additional checks, including cleanups * Plugins ---------