Changelog for
lynis-3.1.2-150400.116.1.noarch.rpm :
* Thu Sep 26 2024 rfrohlAATTsuse.com- Update to 3.1.2:
* Added - Detection of ALT Linux - Detection of Athena OS - Detection of Container-Optimized OS from Google - Detection of Koozali SME Server - Detection of Nobara Linux - Detection of Open Source Media Center (OSMC) - Detection of PostmarketOS - CRYP-7932 - macOS FileVault encryption test - FILE-6398 - Check if JBD (Journal Block Device) driver is loaded - FINT-4344 - Wazuh system running state - PKGS-7305 - Query macOS Apps in /Applications and CoreServices - File added: .editorconfig, which is used by editors to standardize formatting
* Changed - Correction of software EOL database and inclusion of AIX entries - Support sysctl value perf_event_paranoid -> 2|3 - Update of translations: German, Portuguest, Turkish - Grammar and spell improvements - Improved package detection on Alpine Linux - Slackware support to check installed packges (functionPackageIsInstalled()) - Added words prosecute/report to LEGAL_BANNER_STRINGS - Busybox support: Replace newer tr command syntax with older ascii specific operations - Added Wazuh as a malware scanner/antivirus and rootkit detection tool - Updated PHP versions and removed PHP 5 (deprecated) - AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) - CONT-8104 - Checking for errors, not only warning in docker info output - DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD - FILE-6344 - Test kernel version (major/minor) - INSE-8000 - Added inetd package and service name used in ubuntu 24.04 - KRNL-5622 - Use systemctl get-default instead of following link - KRNL-5820 - Accept ulimit with -H parameter also - LOGG-2144 - Check for wazuh-agent presence on Linux systems - MACF-6234 - Test if semanage binary is available - MALW-3200 - ESET Endpoint Antivirus added - MALW-3280 - McAfee Antivirus for Linux deprecated - MALW-3291 - Check if Microsoft Defender Antivirus is installe - NETW-3200 - Added regex to allow both /bin/true as /bin/false - PKGS-7303 - Added version numbers to brew packages - PKGS-7370 - Cron job check for debsums improved - PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error) - PKGS-7410 - Added kernel name for Hardkernel odroid XU4- update additional_module_blacklist_locations.patch
* Sun Mar 17 2024 rfrohlAATTsuse.com- Update to 3.1.1:
* Added - Detection of ArcoLinux
* Changed - DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf) - DBS-1882 - Check /snap directory location for Redis configuration file
* Mon Mar 11 2024 rfrohlAATTsuse.com- Update to 3.1.0:
* Added - Translation: Indonesian
* Changed - MALW-3280 - Correction to detect com.avast.daemon - OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded \"nodistro\", and The Yocto Projects distro \"Poky\" - Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 - STATUS_NOT_ACTIVE variable added to translation files - End-of-life dates updated - Fixing missing or erroneous test number comments - Detection of SentinelOne corrected - Wazuh for file integrity and tooling - Updated parsing output of arch-audit - Added support for SentinelOne detection - Replacing deprecated option -i for xargs - Path detection for PostgreSQL improved- Updated additional_module_blacklist_locations.patch
* Fri Mar 01 2024 pgajdosAATTsuse.com- Use %patch -P N instead of deprecated %patchN.
* Sun Nov 12 2023 dmuellerAATTsuse.com- add missing gawk dependency
* Thu Aug 03 2023 rfrohlAATTsuse.com- Update to 3.0.9:
* Changed - DBS-1820 - Added newer style format for Mongo authorization setting - FILE-6410 - Locations added for plocate - SSH-7408 - Only test Compression if sshd version < 7.4 - Improved fetching timestamp - Minor changes such as typos
* Tue May 17 2022 rfrohlAATTsuse.com- Update to 3.0.8:
* Added - MALW-3274 - Detect McAfee VirusScan Command Line Scanner - PKGS-7346 Check Alpine Package Keeper (apk) - PKGS-7395 Check Alpine upgradeable packages - EOL for Alpine Linux 3.14 and 3.15
* Changed - AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2) - FILE-7524 - Test enhanced to support symlinks - HTTP-6643 - Support ModSecurity version 2 and 3 - KRNL-5788 - Only run relevant tests and improved logging - KRNL-5820 - Additional path for security/limits.conf - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) - KRNL-5830 - Add a presence check for /boot/vmlinuz - PRNT-2308 - Bugfix that prevented test from storing values correctly - Extended location of PAM files for AARCH64 - Some messages in log improved- accepted upstream, removed additional_paths_security-limits.patch
* Fri Feb 04 2022 rfrohlAATTsuse.com- cover /usr/etc/security/limits.conf too (boo#1194446) added additional_paths_security-limits.patch
* Tue Jan 18 2022 rfrohlAATTsuse.com- Update to 3.0.7:
* Added - MALW-3290 - Show status of malware components - OS detection for RHEL 6 and Funtoo Linux - Added service manager openrc
* Changed - DBS-1804 - Added alias for MariaDB - FINT-4316 - Support for newer Ubuntu versions - MALW-3280 - Added Trend Micro malware agent - NETW-3200 - Allow unknown number of spaces in modprobe blacklists - PKGS-7320 - Support for Garuda Linux and arch-audit - Several improvements for busybox shell - Russian translation of Lynis extended- replace 0x429A566FD5B79251 with 0x9DE922F1C2FDE6C4 in lynis.keyring according to https://packages.cisofy.com/- update additional_module_blacklist_locations.patch
* Wed Oct 13 2021 jsegitzAATTsuse.com- Add additional_module_blacklist_locations.patch to check fo blacklisted modules under /usr/lib/modules.d
* Mon Oct 11 2021 infoAATTpaolostivanin.com- Update to 3.0.6:
* Added - OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS - Check for outdated translation files
* Changed - DBS-1826 - Check if PostgreSQL is being used - DBS-1828 - Test multiple PostgreSQL configuration file(s) - KRNL-5830 - Sort kernels by version instead of modification date - PKGS-7410 - Don\'t show exception for systems using LXC - GetHostID function: fallback options added for Linux systems - Fix: show correct text when egrep is missing - Fix: variable name for PostgreSQL
* Thu Sep 16 2021 jsegitzAATTsuse.com- Changed tests_binary_rpath to subtract points for files found with RPATH set, not add points for files that are configured correctly. This resulted in a huge number of points that skewed the overal result
* Sat Jul 03 2021 andreas.stiegerAATTgmx.de- fix SLE 12 build
* Fri Jul 02 2021 rfrohlAATTsuse.com- Update to 3.0.5
* Added - OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux - CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot attacks (Linux)
* Changed - ACCT-9622 - Corrected typo - HRDN-7231 - When calling wc, use the short -l flag instead of --lines (Busybox compatibility) - PKGS-7320 - extended to Arch Linux 32 - Generation of host identifiers (hostid/hostid2) extended - Linux host identifiers are now using ip as preferred input source - Improved logging in several areas
* Tue May 11 2021 jsegitzAATTsuse.com- Update to 3.0.4
* Added - ACCT-9670 - Detection of cmd tooling - ACCT-9672 - Test cmd configuration file - BOOT-5140 - Check for ELILO boot loader presence - OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others
* Changed - BOOT-5104 - Add service manager detection support for runit - FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist - FIRE-4540 - Corrected nftables empy ruleset test - LOGG-2138 - Do not check for klogd when metalog is being used - TIME-3185 - Improved support for Debian stretch - Corrected issue when Lynis is not executed directly from lynis directory
* Thu Jan 07 2021 atoptsoglouAATTsuse.com- Update to 3.0.3
* Added - Check for registered non-native binary formats - OS detection of Parrot GNU/Linux
* Changed - Force test to check only password authentication - Support for NetBSD
* Fixed: command \'configure settings\' did not work as intended
* Mon Jan 04 2021 rfrohlAATTsuse.com- Update to 3.0.2
* Added - Scan for locked user accounts in /etc/passwd - Loghost configuration - Check for active Suricata daemon - OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS - OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others - EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11 - Support for Solaris svcs (service manager) - Enumeration of Solaris services
* Changed - Detect sysstat systemd unit - Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined - Support for Solaris - Improved reboot test by ignoring known bad values - Ignore rescue kernel such as on CentOS systems - Detection of Alpine Linux kernel - Compatibility change for hostname check - Support for Solaris - Don\'t show exception if no kernels were found on the disk - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set \'RHEL\' as OS_NAME for Red Hat Enterprise Linux - HostID: Use first e1000 interface and break after match - Translations extended and updated - Test if pgrep exists before using it - Better support for busybox shell - Small code enhancements
* Fri Nov 13 2020 jsegitzAATTsuse.com- Add a Requires for net-tools-deprecated, as legacy binary binaries are still used by some of the custom lynis tests we ship. Later on I\'ll port them to use current binaries and remove this again
* Mon Oct 05 2020 rfrohlAATTsuse.com- Update to 3.0.1
* Added - Detection of Alpine Linux - Detection of CloudLinux - Detection of Kali Linux - Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS - Detection of PHP 7.4 - Malware detection tool: Microsoft Defender ATP - New flag: --slow-warning to allow tests more time before showing a warning - Test TIME-3185 to check systemd-timesyncd synchronized time - rsh host file permissions
* Changed - Added option for LOCKED accounts and bugfix for older bash versions - Presence check for grub.d added - Added support for certificates in DER format - Added data to report - Redirect errors (e.g. when swap is not encrypted) - Don\'t grep nonexistant modprobe.d files - Set initial firewall state - Corrected text on screen - Handle zipped kernel configuration correctly - Improved version detection for non-symlinked kernel - Extended detection of BitDefender - Find more time synchronization commands - Corrected detection of time peers - Fix: hostid generation routine would sometimes show too short IDs - Fix: language detection - Generic improvements for macOS - German translation updated - End-of-life database updated
* Thu Jun 18 2020 rfrohlAATTsuse.com- Update to 3.0.0
* Security issues - CVE-2020-13882: incorrect Access Control because of a TOCTOU race condition (boo#1173141). - CVE-2019-13033: local disclosure of license key when data is uploaded (boo#1173142).
* Breaking change: Non-interactive by default - Lynis now runs non-interactive by default, to be more in line with the Unix philosophy. So the previously used \'--quick\' option is now default, and the tool will only wait when using the \'--wait\' option.
* Breaking change: Deprecated options - Option: -c - Option: --check-update/--info - Option: --dump-options - Option: --license-key
* Breaking change: Profile options - The format of all profile options are converted (from key:value to key=value). You may have to update the changes you made in your custom.prf.
* Security - An important focus area for this release is on security. We added several measures to further tighten any possible misuse.
* New: DevOps, Forensics, and pentesting mode - This release adds initial support to allow defining a specialized type of audit Using the relevant options, the scan will change base on the intended goal.- Further features, bug fixes and details about the release listed in https://raw.githubusercontent.com/CISOfy/lynis/3.0.0/CHANGELOG.md
* Tue Jun 25 2019 rfrohlAATTsuse.com- Update to 2.7.5 Added:
* Danish translation
* Slackware end-of-life information
* Detect BSD-style (rc.d) init in Linux systems
* Detection of Bro and Suricata (IDS) Changed:
* Corrected end-of-life entries for CentOS 5 and 6
* Change name to check in /etc/passwd file for QNAP devices
* AIX enhancement to use correct find statement
* Filter on correct field for AIX
* Set ss command as preferred option for Linux and changed output format
* List of PHP ini file locations has been extended
* Removed several pieces of the code as part of cleanup and code health
* Extended help
* Mon Jun 03 2019 tuukka.pasanenAATTilmi.fi- Add more false-positive packages to Dbus database: tuned, autofs, lightdm, geoglue2, snapper and ModemManager
* Wed May 29 2019 tuukka.pasanenAATTilmi.fi- Add these common false-positive packages to Dbus database whitelist: FirewallD, SystemD and Wicked
* Tue Apr 23 2019 rfrohlAATTsuse.com- Update to 2.7.4 Added
* FILE-6324 - Discover XFS mount points
* INSE-8000 - Installed inetd package
* INSE-8100 - Installed xinetd package
* INSE-8102 - Status of xinet daemon
* INSE-8104 - xinetd configuration file
* INSE-8106 - xinetd configuration for inactive daemon
* INSE-8200 - Usage of TCP wrappers
* INSE-8300 - Presence of rsh client
* INSE-8302 - Presence of rsh server
* Detect equery binary detection
* New \'generate\' command Changed
* AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
* PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
* PKGS-7420 - Detect toolkit to automatically download and apply upgrades
* PKGS-7328 - Added global Zypper option --non-interactive
* PKGS-7386 - Only show warning when vulnerable packages were discovered
* PKGS-7392 - Skip test for Zypper-based systems
* Minor changes to improve text output, test descriptions, and logging
* Changed CentOS identifiers in end-of-life database
* AIX enhancement for IsRunning function
* Extended PackageIsInstalled function
* Improve text output on AIX systems
* Corrected lsvg binary detection
* Thu Mar 21 2019 rfrohlAATTsuse.com- update to 2.7.3 Added
* Detection for Lynis being scheduled (e.g. cronjob) Changed
* HTTP-6624 - Improved logging for test
* KRNL-5820 - Changed color for default fs.suid_dumpable value
* LOGG-2154 - Adjusted test to search in configuration file correctly
* NETW-3015 - Added support for ip binary
* SQD-3610 - Description of test changed
* SQD-3613 - Corrected description in code
* SSH-7408 - Increased values for MaxAuthRetries
* Improvements to allow tailored tool tips in future
* Corrected detection of blkid binary
* Minor textual changes and cleanups
* Thu Mar 07 2019 rfrohlAATTsuse.com- update to 2.7.2
* Added support for doas (OpenBSD)
* Added test file permissions of doas configuration
* Added support for systemd-boot boot loader
* Added simplify service filter and allow multiple dots in service names
* Added check OpenBSD boot daemons
* Added test permissions for boot files and scripts
* Added support for end-of-life detection of the operating system
* Added new \'lynis show eol\' command
* Multiple changes and improvements
* Fri Feb 01 2019 rfrohlAATTsuse.com- update to 2.7.1
* Improve support for Red Hat and clones
* Additional support for Hands Off!, LuLu, and Radio Silence
* Added MariaDB filter for deleted files (tested on CentOS)
* Added /etc/bash.bashrc.local to umask check
* Removed shift statement that did not work on all operating systems
* Minor cleanups and enhancements
* Small improvements to logging
* Added translation for Slovak
* Sat Oct 27 2018 seanAATTsuspend.net- update to 2.7.0
* added detection of TOMOYO binary (MACF-6240)
* Status of TOMOYO framework updated (MACF-6242)
* OpenSSH server version detected (SSH-7406)
* Check active OSSEC analysis daemon (TOOL-5160)
* Changed several warning labels on screen
* More generic sulogin for systemd rescue (AUTH-9308)
* OS detection now ignores quotes for getting the OS ID
* Tue Oct 09 2018 rfrohlAATTsuse.com- update to 2.6.9
* Man page has been updated
* Command \'lynis show options\' provides up-to-date list
* Option \'--dump-options\' is deprecated
* Several options and commands have been extended with more examples
* OS detection now supports openSUSE specific distribution names
* Changed command output when using \'lynis audit system remote\'
* added /usr/local/redis/etc path and QNAP support
* ignore exception when no vmlinuz file was discovered
* Thu Sep 20 2018 astiegerAATTsuse.com- update to 2.6.8:
* improved parsing of boot parameters to init process
* test all PHP files for expose_php and improved logging
* Docker check now tests also for CMD, ENTRYPOINT, and USER configuration
* Improved display in Docker output for showing which keys are used for signing- includes changes from 2.6.7:
* Added busybox as a service manager
* Limit PAE and no-execute test to AMD64 hardware only
* Ignore /dev/zero and /dev/[aio] as deleted files
* Changed classification of SSH root login with keys
* Docker scan uses new format for maintainer value- includes chagnes from 2.6.6:
* Improved log text about running kernel version
* Under some condition no hostid2 value was reported
* Solved \'extra operand\' issue with tr command
* Wed Jun 27 2018 astiegerAATTsuse.com- update to 2.6.5:
* mail: Exim configuration test
* network: Use FQDN to test status of a nameserver instead of own IP address
* ssh: Improved test to allow configurations with a Match block- includes changes from 2.6.4:
* auth: Made \'sulogin\' more generic for systemd rescue shell
* dns: Initial work on DNSSEC validation testing
* network: Added support for local resolver 127.0.0.53
* php: Suhosin test disbled
* ssh: Removed \'DELAYED\' from OpenSSH Compression setting
* time: Improvements to detect step-tickers file and entries- includes changes from 2.6.3:
* crypt: Do prevalidation for certificates before testing them
* hardening: Enhanced compiler permission test
* name: Improved test to filter out empty lines
* packages: changes to detect yum-utils package and related tooling
* plugins: cron file permissions- includes changes from 2.6.2:
* Textual changes for several tests
* Update of tests database
* Fri Jan 26 2018 astiegerAATTsuse.com- update to 2.6.1:
* New group \'usb\' for tests related to USB devices
* Updated and enhanced tests
* Many bug fixes
* output and UI fixes
* Thu Jun 08 2017 astiegerAATTsuse.com- Lynis 2.5.1:
* Improved detection of SSL certificate files
* Minor changes to improve logging and results
* Firewall tests: Determine if CSF is in testing mode- includes changes from Lynis 2.5.0:
* CVE-2017-8108: symlink attack may have allowed arbitrary file overwrite or privilege escalation (bsc#1043463)
* Deleted unused tests from database file
* Additional sysctls are tested
* Extended test with Symantec components
* Snort detection
* Snort configuration file
* Tue Apr 04 2017 tuukka.pasanenAATTilmi.fi- Lynis 2.4.8 (Changelog from 2.4.1)
* More PHP paths added
* Minor changes to text
* Show atomic test in report
* Added FileInstalledByPackage function (dpkg and rpm supported)
* Mark Arch Linux version as rolling release (instead of unknown)
* Support for Manjaro Linux
* Escape files when testing if they are readable
* Code cleanups
* Allow host alias to be specified in profile
* Code readability enhancements
* Solaris support has been improved
* Fix for upload function to be used from profile
* Reduce screen output for mail section, unless --verbose is used
* Code cleanups and removed \'update release\' command
* Colored output can now be tuned with profile (colors=yes/no)
* Allow data upload to be set as a profile option
* Properly detect SSH daemon version
* Generic code improvements
* Improved the update check and display
* Finish, Portuguese, and Turkish translation
* Extended support and tests for DragonFlyBSD
* Option to configure hostid and hostid2 in profile
* Support for Trend Micro and Cylance (macOS)
* Remove comments at end of nginx configuration
* Used machine ID to create host ID when no SSH keys are available
* Added detection of iptables-save to binaries Tests: BANN-7126 - Added more words to test for CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler HTTP-6641 - Support detection for Apache module mod_reqtimeout PKGS-7388 - Minor change to detect security repositories CRYP-7902 - Test more certificates names, but only if they are not part of a package FILE-7524 - Reduce standard screen output for file permissions check MALW-3280 - Added Avira detection as a malware scanner NAME-4018 - Only perform name services test when resolv.conf file exists PKGS-7387 - Check all repositories if they use GPG signing SCHD-7704 - Permission checks TIME-3104 - Check permissions before open files AUTH-9328 - Add missing 0027 and 0077 umasks BOOT-5104 - Add initsplash and minor code enhancements DBS-1882 - Include Redis configuration file FIRE-4502 - Improved detection for iptables modules when using OpenVZ PKGS-7381 - Enhanced package audit for FreeBSD AUTH-9308 - Improved test for sulogin string (Debian systems) FILE-6372 - Properly deal with comment on lines in /etc/fstab MAIL-8817 - New test to check Postfix configuration for errors SSH-7408 - Corrected SSH check AUTH-9308 - Improved test for sulogin string MAIL-8818 - Test if Linux version is known before comparing in Postfix banner TIME-3116 - Skip stratum 16 items for time pools TIME-3148 - New test to detect TZ variable AUTH-9208 - Removed double logging AUTH-9222 - Improve logging for double groups AUTH-9226 - Improve logging for double groups BOOT-5177 - Sort systemctl unit files to make them unique DBS-1818 - New test to detect MongoDB DBS-1820 - New test for MongoDB authentication FIRE-4512 - Lowered minimum number of iptables firewall rules FIRE-4586 - Fix applied when searching for \"-j LOG\" HRDN-7222 - Changed reporting key of world executable compilers SSH-7408 - Added filtering for PermitRootLogin (prohibit-password, OpenSSH 7.0) FIRE-4586 - Check logging for firewall components KRNL-5788 - Remove exception and style improvements KRNL-5830 - Improved logging
* Fri Nov 04 2016 matthias.gerstnerAATTsuse.com- lynis 2.4.0
* Mainly improved support for macOS users
* Support for CoreOS
* Support for clamconf utility
* Support for chinese translation
* More sysctl values in the default profile
* New commands: \"upload-only\", \"show hostids\", \"show environment\", \"show os\"
* Wed Sep 28 2016 astiegerAATTsuse.com- lynis 2.3.4 with various improvements, including:
* Several tests have extended log details
* Detection of nftables improved
* Replaced cut, sed, tr and others commands with binary variable (for forensics and future intrusion checking capabilities)
* OS detection improved
* Thu Sep 15 2016 astiegerAATTsuse.com- lynis 2.3.3 with many improvements and updates
* Thu May 12 2016 astiegerAATTsuse.com- lynis 2.2.0:
* new features and tests, small enhancements
* optimisation, better detection
* dealing with OS quirks and unexcepted results
* adjustments for supporting more compliance in-depth
* Detection for CFEngine has been improved
* now tries to determine if failed logins are properly logged
* New plugin is introduced to analyze PAM settings
* Initial support to test UEFI settings, including Secure Boot option.
* Support added for Unbound DNS caching tool, configuration check
* Record if a name caching utility is being used like nscd or Unbound.
* Tests chains of iptables and their default policy (ACCEPT or DROP)
* Support upcoming nftables technology (status check)
* Test added to include osqueryd as a supported tool.
* Detection of firewire is enhanced (both ohci and core detected).
* Extended the test syslog-ng logging to remote systems.
* ESET and LMD (Linux Malware Detect) have been added.
* Discovered malware scanners are also logged to the report.
* Eexpanded test for multiple common mount points and define best practice mount flags.
* Best practices for IPv6 configuration on Linux are now collected.
* Collect network interface names from most operating systems.
* Password change test has been extended to both capture minimum and password age.
* Add Proxu support
* SystemV init is now detected.
* Now information will be logged when vulnerable software packages were found.
* Support for DNF (Dandified YUM) for Fedora systems has been added.
* Multiple configuration tests of SSH merged.
* Extend detection of virtual machines (VMware tools)
* Machine state detection with Puppet, Facter, dmidecode, and lscpu
* When using pentest mode, it will continue without any delays (=quick mode).
* Improvements for automatic execution of Lynis
* Upload improvements
* Wed Jul 29 2015 astiegerAATTsuse.com- lynis 2.1.1:
* performance improvements
* additional support for Linux distributions and external utilities
* Apache module directory /usr/lib64/apache has been added, which is used on openSUSE.
* various other improvements and bug fixes- update patches for contect changes: lynis_1.3.1_include_consts.diff, lynis_1.3.5_lynis.diff
* Tue May 12 2015 astiegerAATTsuse.com- lynis 2.1.0:
* Screen output has been improved to provide additional information.
* Core dump check on Linux is extended to check for actual values as well.
* Software: + McAfee detection has been extended by detecting a running cma binary. + Security patch checking with zypper extended.
* Session timeout: + Tests to determine shell time out setting have been extended + determine also if variable is exported as a readonly variable. + Related compliance section PCI DSS 8.1.8 has been extended.- includes changes from Lynis 2.0.0:
* New feature: helpers
* docker build file audit helper
* Improved OS support
* support systemd, docker, nftables
* New parameters: + --dump-options (see all options) + --report-file (define a different location for the report file)- use tarball supplied default.prf- clean or silence rpmlint warnings
* Tue Feb 17 2015 astiegerAATTsuse.com- lynis 1.6.4:
* New: + Boot loader detection for AIX + Detection of getcap and lsvg binary + Added filesystem_ext to report + Detect rootsh
* Changes: + Hide errors when RPM database is faulty and show suggestion instead + Allow OpenBSD to gather information on listening network ports + Don\'t trigger warning for Shellshock when doing segfault test + Do not run Apache test on OpenBSD and strip control chars + Extended AIDE test with configuration validation test + Improved Shellshock test regarding non-Linux support + Added support for gathering volume groups on AIX + Properly parse PAM lines and add them to report + Support for boot loader detection on OpenBSD + Added uptime detection for OpenBSD systems + Support for volume groups on AIX + Redirect errors when searching for readlink binary- includes changes from 1.6.3:
* New: + Added tests for Shellshock bash vulnerability + Added test to determine if Snoopy is used + New test for qdaemon configuration file + Test for GRUB boot loader password + New test for qdaemon printer jobs + Added ClamXav test for Mac OS X + Gentoo vulnerable packages test + New test for qdaemon status + Gentoo package listing + Running Lynis without root permissions will start non-privileged scan + Systemd service and timer example file added + Added grub2-install to binaries
* Changes: + Adjustments so insecure SSL protocols are detected in nginx config + Directories will be skipped when searching for nginx log files + Only gather unique name servers from /etc/resolv.conf + Properly detect mod_evasive on Gentoo and others + Improved swap partition detection in /etc/fstab + Improvements to kernel detection (e.g. Gentoo) + Test for built-in security options in YUM + Improved boot loader detection for GRUB2 + Split GRUB test into two tests + Added Mac OS uptime check + Improved GetHostID function for systems having only ip binary + Improved testing for symlinked binary directories + Minor adjustments to log output + Renamed dev directory to extras- verify source signature- adjust permissions of items in /usr/share/lynis/include/consts to match those requested by main executable- run spec_cleaner
* Sun Nov 16 2014 ledestAATTgmail.com- fix bashisms in scripts