What's new in Lynis 1.4.3
Feb 24, 2014
- New:
- Support for the dntpd time daemon
- New Apache test for modules [HTTP-6632]
- Apache test for mod_evasive [HTTP-6640]
- Apache test for mod_qos [HTTP-6641]
- Apache test for mod_spamhaus [HTTP-6642]
- Apache test for ModSecurity [HTTP-6643]
- Check for installed package audit tool [PKGS-7398]
- Added initial support for new pkgng and related tools [PKGS-7381]
- Check for ssh-keyscan binary
- ZFS support for FreeBSD [FILE-6330]
- Test for passwordless accounts [AUTH-9283]
- Initial OS support for DragonFly BSD
- Initial OS support for TrueOS (FreeBSD based)
- Initial OS support for elementary OS (Luna)
- GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD
- Check for DHCP client [NETW-3030]
- Initial support for OSSEC (system integrity) [FINT-4328]
- New parameter --log-file to adjust log file location
- New function IsRunning() to check status of processes
- New function RealFilename() to determine file name
- New function CheckItem() for parsing files
- New function ReportManual() and ReportException() to simplify code
- New function DirectoryExists() to check existence of a directory
- Support for dntpd [TIME-3104]
- Changes:
- Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518]
- Extended test to gather listening network ports for Linux [NETW-3012]
- Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190]
- Added suggestion for discovered shells on FreeBSD [AUTH-9218]
- Extended core dump test with additional details [KRNL-5820]
- Properly display suggestion if portaudit is not installed [PKGS-7382]
- Ignore message if no packages are installed (pkg_info) [PKGS-7320]
- Also try using apt-check on Debian systems [PKGS-7392]
- Adjusted logging for RPM binary on systems not using it [PKGS-7308]
- Extended search in cron directories for rdate/ntpdate [TIME-3104]
- Adjusted PHP check to find ini files [PHP-2211]
- Skip Apache test for NetBSD [HTTP-6622]
- Skip test http version check for NetBSD [HTTP-6624]
- Additional check to surpress sort error [HTTP-6626]
- Improved the way binaries are checked (less disk reads)
- Adjusted ReportWarning() function to skip impact rating
- Improved report on screen by leaving out date/time and type
- Redirect errors while checking for OpenSSL version
- Extended reporting with firewall status and software
- Adjusted naming of some operating systems to make them more consistent
- Extended update check by using host binary if dig is not installed
- Count number of installed binaries/packages and report them
- Report about log rotation tool and status
- Updated man page
New in Lynis 1.4.2 (Feb 20, 2014)
- New:
- Support for the dntpd time daemon
- New Apache test for modules [HTTP-6632]
- Apache test for mod_evasive [HTTP-6640]
- Apache test for mod_qos [HTTP-6641]
- Apache test for mod_spamhaus [HTTP-6642]
- Apache test for ModSecurity [HTTP-6643]
- Check for installed package audit tool [PKGS-7398]
- Added initial support for new pkgng and related tools [PKGS-7381]
- Check for ssh-keyscan binary
- ZFS support for FreeBSD [FILE-6330]
- Test for passwordless accounts [AUTH-9283]
- Initial OS support for DragonFly BSD
- Initial OS support for TrueOS (FreeBSD based)
- Initial OS support for elementary OS (Luna)
- GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD
- Check for DHCP client [NETW-3030]
- Initial support for OSSEC (system integrity) [FINT-4328]
- New parameter --log-file to adjust log file location
- New function IsRunning() to check status of processes
- New function RealFilename() to determine file name
- New function CheckItem() for parsing files
- New function ReportManual() and ReportException() to simplify code
- New function DirectoryExists() to check existence of a directory
- Support for dntpd [TIME-3104]
- Changes:
- Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518]
- Extended test to gather listening network ports for Linux [NETW-3012]
- Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190]
- Added suggestion for discovered shells on FreeBSD [AUTH-9218]
- Extended core dump test with additional details [KRNL-5820]
- Properly display suggestion if portaudit is not installed [PKGS-7382]
- Ignore message if no packages are installed (pkg_info) [PKGS-7320]
- Also try using apt-check on Debian systems [PKGS-7392]
- Adjusted logging for RPM binary on systems not using it [PKGS-7308]
- Extended search in cron directories for rdate/ntpdate [TIME-3104]
- Adjusted PHP check to find ini files [PHP-2211]
- Skip Apache test for NetBSD [HTTP-6622]
- Skip test http version check for NetBSD [HTTP-6624]
- Additional check to surpress sort error [HTTP-6626]
- Improved the way binaries are checked (less disk reads)
- Adjusted ReportWarning() function to skip impact rating
- Improved report on screen by leaving out date/time and type
- Redirect errors while checking for OpenSSL version
- Extended reporting with firewall status and software
- Adjusted naming of some operating systems to make them more consistent
- Extended update check by using host binary if dig is not installed
- Count number of installed binaries/packages and report them
- Report about log rotation tool and status
- Updated man page
New in Lynis 1.4.1 (Feb 15, 2014)
- New:
- Support for the dntpd time daemon
- New Apache test for modules [HTTP-6632]
- Apache test for mod_evasive [HTTP-6640]
- Apache test for mod_qos [HTTP-6641]
- Apache test for mod_spamhaus [HTTP-6642]
- Apache test for ModSecurity [HTTP-6643]
- Check for installed package audit tool [PKGS-7398]
- Added initial support for new pkgng and related tools [PKGS-7381]
- Check for ssh-keyscan binary
- ZFS support for FreeBSD [FILE-6330]
- Test for passwordless accounts [AUTH-9283]
- Initial OS support for DragonFly BSD
- Initial OS support for TrueOS (FreeBSD based)
- Initial OS support for elementary OS (Luna)
- GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD
- Check for DHCP client [NETW-3030]
- Initial support for OSSEC (system integrity) [FINT-4328]
- New parameter --log-file to adjust log file location
- New function IsRunning() to check status of processes
- New function RealFilename() to determine file name
- New function CheckItem() for parsing files
- New function ReportManual() and ReportException() to simplify code
- New function DirectoryExists() to check existence of a directory
- Support for dntpd [TIME-3104]
- Changes:
- Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518]
- Extended test to gather listening network ports for Linux [NETW-3012]
- Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190]
- Added suggestion for discovered shells on FreeBSD [AUTH-9218]
- Extended core dump test with additional details [KRNL-5820]
- Properly display suggestion if portaudit is not installed [PKGS-7382]
- Ignore message if no packages are installed (pkg_info) [PKGS-7320]
- Also try using apt-check on Debian systems [PKGS-7392]
- Adjusted logging for RPM binary on systems not using it [PKGS-7308]
- Extended search in cron directories for rdate/ntpdate [TIME-3104]
- Adjusted PHP check to find ini files [PHP-2211]
- Skip Apache test for NetBSD [HTTP-6622]
- Skip test http version check for NetBSD [HTTP-6624]
- Additional check to surpress sort error [HTTP-6626]
- Improved the way binaries are checked (less disk reads)
- Adjusted ReportWarning() function to skip impact rating
- Improved report on screen by leaving out date/time and type
- Redirect errors while checking for OpenSSL version
- Extended reporting with firewall status and software
- Adjusted naming of some operating systems to make them more consistent
- Extended update check by using host binary if dig is not installed
- Count number of installed binaries/packages and report them
- Report about log rotation tool and status
- Updated man page
New in Lynis 1.4.0 (Jan 29, 2014)
- This version adds several improvements to support AIX better, hostid creation, ignoring of the LANG value, and extension of a few tests.
New in Lynis 1.3.9 (Jan 10, 2014)
- New:
- Support for the dntpd time daemon
- New Apache test for modules [HTTP-6632]
- Apache test for mod_evasive [HTTP-6640]
- Apache test for mod_qos [HTTP-6641]
- Apache test for mod_spamhaus [HTTP-6642]
- Apache test for ModSecurity [HTTP-6643]
- Check for installed package audit tool [PKGS-7398]
- Added initial support for new pkgng and related tools [PKGS-7381]
- Check for ssh-keyscan binary
- ZFS support for FreeBSD [FILE-6330]
- Test for passwordless accounts [AUTH-9283]
- Initial OS support for DragonFly BSD
- Initial OS support for TrueOS (FreeBSD based)
- Initial OS support for elementary OS (Luna)
- GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD
- Check for DHCP client [NETW-3030]
- Initial support for OSSEC (system integrity) [FINT-4328]
- New parameter --log-file to adjust log file location
- New function IsRunning() to check status of processes
- New function RealFilename() to determine file name
- New function CheckItem() for parsing files
- New function ReportManual() and ReportException() to simplify code
- New function DirectoryExists() to check existence of a directory
- Support for dntpd [TIME-3104]
- Changes:
- Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518]
- Extended test to gather listening network ports for Linux [NETW-3012]
- Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190]
- Added suggestion for discovered shells on FreeBSD [AUTH-9218]
- Extended core dump test with additional details [KRNL-5820]
- Properly display suggestion if portaudit is not installed [PKGS-7382]
- Ignore message if no packages are installed (pkg_info) [PKGS-7320]
- Also try using apt-check on Debian systems [PKGS-7392]
- Adjusted logging for RPM binary on systems not using it [PKGS-7308]
- Extended search in cron directories for rdate/ntpdate [TIME-3104]
- Adjusted PHP check to find ini files [PHP-2211]
- Skip Apache test for NetBSD [HTTP-6622]
- Skip test http version check for NetBSD [HTTP-6624]
- Additional check to surpress sort error [HTTP-6626]
- Improved the way binaries are checked (less disk reads)
- Adjusted ReportWarning() function to skip impact rating
- Improved report on screen by leaving out date/time and type
- Redirect errors while checking for OpenSSL version
- Extended reporting with firewall status and software
- Adjusted naming of some operating systems to make them more consistent
- Extended update check by using host binary if dig is not installed
- Count number of installed binaries/packages and report them
- Report about log rotation tool and status
- Updated man page
New in Lynis 1.3.8 (Dec 27, 2013)
- This version adds a new parameter (--view-categories), eight new tests, and several improvements to existing tests and functions.
New in Lynis 1.3.6 (Dec 4, 2013)
- New:
- Support for the dntpd time daemon
- New Apache test for modules [HTTP-6632]
- Apache test for mod_evasive [HTTP-6640]
- Apache test for mod_qos [HTTP-6641]
- Apache test for mod_spamhaus [HTTP-6642]
- Apache test for ModSecurity [HTTP-6643]
- Check for installed package audit tool [PKGS-7398]
- Added initial support for new pkgng and related tools [PKGS-7381]
- Check for ssh-keyscan binary
- ZFS support for FreeBSD [FILE-6330]
- Test for passwordless accounts [AUTH-9283]
- Initial OS support for DragonFly BSD
- Initial OS support for TrueOS (FreeBSD based)
- Initial OS support for elementary OS (Luna)
- GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD
- Check for DHCP client [NETW-3030]
- Initial support for OSSEC (system integrity) [FINT-4328]
- New parameter --log-file to adjust log file location
- New function IsRunning() to check status of processes
- New function RealFilename() to determine file name
- New function CheckItem() for parsing files
- New function ReportManual() and ReportException() to simplify code
- New function DirectoryExists() to check existence of a directory
- Support for dntpd [TIME-3104]
- Changes:
- Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518]
- Extended test to gather listening network ports for Linux [NETW-3012]
- Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190]
- Added suggestion for discovered shells on FreeBSD [AUTH-9218]
- Extended core dump test with additional details [KRNL-5820]
- Properly display suggestion if portaudit is not installed [PKGS-7382]
- Ignore message if no packages are installed (pkg_info) [PKGS-7320]
- Also try using apt-check on Debian systems [PKGS-7392]
- Adjusted logging for RPM binary on systems not using it [PKGS-7308]
- Extended search in cron directories for rdate/ntpdate [TIME-3104]
- Adjusted PHP check to find ini files [PHP-2211]
- Skip Apache test for NetBSD [HTTP-6622]
- Skip test http version check for NetBSD [HTTP-6624]
- Additional check to surpress sort error [HTTP-6626]
- Improved the way binaries are checked (less disk reads)
- Adjusted ReportWarning() function to skip impact rating
- Improved report on screen by leaving out date/time and type
- Redirect errors while checking for OpenSSL version
- Extended reporting with firewall status and software
- Adjusted naming of some operating systems to make them more consistent
- Extended update check by using host binary if dig is not installed
- Count number of installed binaries/packages and report them
- Report about log rotation tool and status
- Updated man page
New in Lynis 1.3.5 (Nov 20, 2013)
- New:
- OS detection for Mageia Linux, PCLinuxOS, Sabayon Linux and Scientific Linux
- Added some initial systemd support (e.g. boot services)
- Test to display if any known MAC framework is implemented [MACF-6290]
- Changes:
- Improved support for Slackware Linux (OS and version detection)
- Added systemd support (boot and running services) for Linux systems [BOOT-5177]
- Added systemd support (default runlevel) for Linux systems [KRNL-5622]
- Extended USB storage check in modprobe.d directory [STRG-1840]
- Improved output, reporting and check for kernel update [KRNL-5788]
- Optimized code and output of test to check writable scripts [BOOT-5184]
- Fixed detection for writable scripts [BOOT-5184]
- Improved detection IPv6 addresses for Slackware and others [NETW-3008]
- Minor addition to SSH PermitRootLogin check [SSH-7412]
- Extended cronjob tests, reporting and logging [SCHD-7704]
- Extended umask check in /etc/profile [AUTH-9328]
- Added suggestion about BIND version [NAME-4210]
- Merged test NTP daemon test TIME-3108 into TIME-3104
- Improved support for Arch Linux (output, detection)
- Extended common list of directories with SSL certifcates in profile
- New function GetHostID() to determine an unique identifier of the machine
- Added a tests_custom file template
- Perform file permissions test on tests_custom file
- Improved OS detection and extended logging on several tests
- Several layout improvements
- Extended update check functions and output
- Cleaned up reporting and extended it with exceptions
New in Lynis 1.3.4 (Nov 9, 2013)
- This version add OS detection support for Arch Linux and the systemd journal.
- It also improves several checks so the results are improved, including screen output.
New in Lynis 1.3.3 (Oct 25, 2013)
- This version has improved support for NTP time syncing (client or daemon) and improved tests for empty shells on FreeBSD.
- Logging has been extended and small corrections have been made.
New in Lynis 1.3.2 (Oct 10, 2013)
- New:
- Test for PowerDNS authoritive servers (master/slave status) [NAME-4238]
- Changes:
- CUPS test extended with hardening rules [PRNT-2308]
- Added hardening points to sticky bit on /tmp [FILE-6362]
- Extended Ubuntu security packages check [PKGS-7392]
- Improved update check, show when no check is performed
- Added additional check for binaries, so checks on CentOS work correctly
- Added word 'restricted' to banner strings
- Adjusted wording for Debian packages purge [PKGS-7346]
- Corrected listing of purgable packages [PKGS-7346]
- Adjusted yum-plugin-security check due to package changes [PKGS-7386]
New in Lynis 1.3.1 (Oct 4, 2013)
- Updated generic references in files
- Fixed detection of several binaries (AFICK/awk)
- Performance tweaks when checking for binaries
- Fixed core dump check and dumpable sysctl [KRNL-5820]
- Force test to always to check for binaries [FILE-7502]
- Changed detection to egrep [DBS-1840]
- Adjusted variable checking for Solaris [HOME-9310]
- Adjusted search in modprobe directory [STRG-1840] [STRG-1846]
New in Lynis 1.3.0 (Dec 26, 2011)
- Some tests have been extended and a few new ones have been added to this release.
- There are also improvements for the screen output and logging.
New in Lynis 1.2.6 (Apr 6, 2009)
- New:
- Sudoers file permissions check [AUTH-9252]
- Core dumps configuration check for Linux [KRNL-5820]
- PHP disabled functions check [PHP-2320]
- PHP enable_dl function check [PHP-2374]
- PHP allow_url_fopen function check [PHP-2376]
- OpenBSD smtpd status check [MAIL-8920]
- /etc/issue check [BANN-7124]
- /etc/issue legal keywords check [BANN-7126]
- Show suggestions in report
- Changes:
- Extended support for Red Hat, CentOS and Fedora
- Extended ACL test to test for default mount options as well [FILE-6368]
- Exim status test fixed [MAIL-8812]
- Corrected yum security check [PKGS-7386]
- Replaced LDAP test AUTH-9238 with [AUTH-9402]
- Removed backquotes when locate database is not available [FILE-6410]
- Added /etc/openldap to search path for OpenLDAP
- Fixed typo in crontab path [SCHD-7704]
- Don't show message "No volume groups found" if LVM isn't used [FILE-6310]
- Corrected Syslog-NG status [LOGG-2132]
- Moved TODO to dev directory
New in Lynis 1.2.5 (Mar 27, 2009)
- New:
- slapd.conf check [LDAP-2224]
- atd status test [SCHD-7718]
- Check LDAP module in PAM [AUTH-9278]
- Check Dovecot status check [MAIL-8838]
- Check log directories from newsyslog.conf [LOGG-2162]
- Check log directories from static list [LOGG-2170]
- Check log directories from logrotate configuration [LOGG-2150]
- syslog check for remote logging [LOGG-2154]
- Open log files check [LOGG-2180]
- Deleted file check [LOGG-2190]
- Solaris active kernel modules check [KRNL-5770]
- Solaris audit daemon status check [ACCT-9650]
- Solaris audit daemon service status [ACCT-9652]
- Solaris audit daemon BSM check [ACCT-9654]
- Solaris audit logging location check [ACCT-9662]
- Solaris audit statistics check [ACCT-9672]
- Check for installed compiler [HRDN-7202]
- BIND process check [NAME-4202]
- BIND configuration file check [NAME-4204]
- BIND configuration consistency check [NAME-4206]
- BIND version check via DNS [NAME-4210]
- Default domain check (/etc/resolv.conf) [NAME-4016]
- Search domains in /etc/resolv.conf check [NAME-4018]
- Parse /etc/resolv.conf options [NAME-4020]
- Solaris /etc/nodename check [NAME-4026]
- DNS domain checks [NAME-4028]
- NSCD status check [NAME-4032]
- PowerDNS presence check [NAME-4230]
- PowerDNS configuration file check [NAME-4232]
- PowerDNS backend check [NAME-4236]
- ypbind status check [NAME-4302]
- Log specific defined SSH daemon options [SSH-7408]
- SSH protocol version check [SSH-7414]
- NIS domain checks [NAME-4304]
- Check pending at jobs [SCHD-7724]
- LVM volume group scan [FILE-6310]
- LVM volumes check [FILE-6312]
- Locate database check [FILE-6410]
- nginx configuration file check [HTTP-6704]
- Exim status check [MAIL-8802]
- Postfix status check [MAIL-8814]
- Changes:
- atd needs to run before testing at files [SCHD-7720]
- Removed Solaris OS requirement from logrotate test [LOGG-2148]
- Sanitized output from logrotate test [LOGG-2148]
- Skip comment fields in loghost check [LOGG-2152]
- Changed auditd tests to Linux only
- Binary scan optimized and partially combined with other check
- Only perform iptables tests if kernel module is active
- Don't show message when /etc/shells can't be found [SHLL-6211]
- Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
- Renumbered FreeBSD test SHLL-7225 [SHLL-6202]
- Renumbered malware test MALW-3292 [HRDN-7230]
- Improved grep on process status [PRNT-2304]
- Ignore comment lines for nginx log file check [HTTP-6720]
- Added file check for nginx log files [HTTP-6720]
- Display IP addresses only of NTP tests [TIME-3124]
- Fixed Postfix configuration directory path [MAIL-8816]
- Redirected output of yum package duplicate check [PKGS-7384]
- Ignore comment lines for lilo test [BOOT-5139]
- Fixed incorrect iptables status and correct logging [FIRE-4511]
- Check SNMP configuration only if SNMP daemon runs [SNMP-3304]
- Don't scan PAM directories which are symlinks [AUTH-9268]
- Changed hardening category to hardening_tools
- Adjusted hardening points of several tests
- Log and display improvements for several tests
New in Lynis 1.2.4 (Mar 17, 2009)
- This release adds more than 30 new tests, including NTP, auditd, PAM, NFS and ClamAV.
- It introduces several new features (i.e. hardening index), parameters (i.e. --tests-category), and some small bugfixes.
- Screen output on Solaris has been improved.
New in Lynis 1.2.3 (Mar 2, 2009)
- This release contains many new tests, like status checks for Syslog-NG, klogd, and minilogd. Several inetd and logging tests have been added.
- Two new categories (Insecure services and SNMP) are included, and several problems related to Solaris have been fixed.
New in Lynis 1.2.2 (Feb 15, 2009)
- This release brings support for MySQL (client) and several new testings including MySQL, sysstat, and SSH.
- It also contains adjusted tests, bugfixes, and minor improvements like screen and log file output.
New in Lynis 1.2.1 (Sep 7, 2008)
- This release adds support for SELinux, Samba, PAM, and password expire checks.
- A new option (--tests) is available to run specific audit tests only.
- Beside the new additions, lots of small issues were solved.
- Logging, reporting, and screen output were improved.
New in Lynis 1.2.0 (Aug 27, 2008)
- This release adds 8 new tests (a Solaris password test, and support for AFICK, AIDE, Osiris, Samhain, Tripwire, NIS, and NIS authentication).
- PID file handling and logging are improved, some tests were slighty rewritten, and a man page check has been added when using --view-manpage.