Releases: CISOfy/lynis
Releases · CISOfy/lynis
Lynis 3.0.9
Lynis 3.0.9 (2023-08-03)
Changed
- DBS-1820 - Added newer style format for Mongo authorization setting
- FILE-6410 - Locations added for plocate
- SSH-7408 - Only test Compression if sshd version < 7.4
- Improved fetching timestamp
- Minor changes such as typos
Lynis 3.0.8
Added
- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
- PKGS-7346 Check Alpine Package Keeper (apk)
- PKGS-7395 Check Alpine upgradeable packages
- EOL for Alpine Linux 3.14 and 3.15
Changed
- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
- FILE-7524 - Test enhanced to support symlinks
- HTTP-6643 - Support ModSecurity version 2 and 3
- KRNL-5788 - Only run relevant tests and improved logging
- KRNL-5820 - Additional path for security/limits.conf
- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
- KRNL-5830 - Add a presence check for /boot/vmlinuz
- PRNT-2308 - Bugfix that prevented test from storing values correctly
- Extended location of PAM files for AARCH64
- Some messages in log improved
Lynis 3.0.7
Lynis 3.0.7 (2022-01-18)
Added
- MALW-3290 - Show status of malware components
- OS detection for RHEL 6 and Funtoo Linux
- Added service manager openrc
Changed
- DBS-1804 - Added alias for MariaDB
- FINT-4316 - Support for newer Ubuntu versions
- MALW-3280 - Added Trend Micro malware agent
- NETW-3200 - Allow unknown number of spaces in modprobe blacklists
- PKGS-7320 - Support for Garuda Linux and arch-audit
- Several improvements for busybox shell
- Russian translation of Lynis extended
Lynis 3.0.6
Lynis 3.0.6 (2021-07-22)
Added
- OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS
- Check for outdated translation files
Changed
- DBS-1826 - Check if PostgreSQL is being used
- DBS-1828 - Test multiple PostgreSQL configuration file(s)
- KRNL-5830 - Sort kernels by version instead of modification date
- PKGS-7410 - Don't show exception for systems using LXC
- GetHostID function: fallback options added for Linux systems
- Fix: macOS Big Sur detection
- Fix: show correct text when egrep is missing
- Fix: variable name for PostgreSQL
- German and Spanish translations extended
Lynis 3.0.5
Lynis 3.0.5 (2021-07-02)
Added
- OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux
- CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot attacks (Linux)
Changed
- ACCT-9622 - Corrected typo
- HRDN-7231 - When calling wc, use the short -l flag instead of --lines (Busybox compatibility)
- PKGS-7320 - extended to Arch Linux 32
- Generation of host identifiers (hostid/hostid2) extended
- Linux host identifiers are now using ip as preferred input source
- Improved logging in several areas
Lynis 3.0.4
Lynis 3.0.4 (2021-05-11)
Added
- ACCT-9670 - Detection of cmd tooling
- ACCT-9672 - Test cmd configuration file
- BOOT-5140 - Check for ELILO boot loader presence
- OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others
Changed
- BOOT-5104 - Add service manager detection support for runit
- FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist
- FIRE-4540 - Corrected nftables empy ruleset test
- LOGG-2138 - Do not check for klogd when metalog is being used
- TIME-3185 - Improved support for Debian stretch
- Corrected issue when Lynis is not executed directly from lynis directory
Lynis 3.0.3
Lynis 3.0.3 (2021-01-07)
Added
- HRDN-7231 - Check for registered non-native binary formats
- OS detection of Parrot GNU/Linux
Changed
- DBS-1816 - Force test to check only password authentication
- KRNL-5677 - Support for NetBSD
- Bugfix: command 'configure settings' did not work as intended
Lynis 3.0.2
Lynis 3.0.2 (2020-12-24)
Added
- AUTH-9284 - Scan for locked user accounts in /etc/passwd
- LOGG-2153 - Loghost configuration
- TOOL-5130 - Check for active Suricata daemon
- OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS
- OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others
- EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11
- Support for Solaris svcs (service manager)
- Enumeration of Solaris services
Changed
- ACCT-9626 - Detect sysstat systemd unit
- AUTH-9230 - Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined
- BOOT-5184 - Support for Solaris
- KRNL-5830 - Improved reboot test by ignoring known bad values
- KRNL-5830 - Ignore rescue kernel such as on CentOS systems
- KRNL-5830 - Detection of Alpine Linux kernel
- NETW-2400 - Compatibility change for hostname check
- NETW-3012 - Support for Solaris
- PKGS-7410 - Don't show exception if no kernels were found on the disk
- TIME-3185 - Supports now checking files at multiple locations (systemd)
- ParseNginx function: Support include on absolute paths
- ParseNginx function: Ignore empty included wildcards
- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
- HostID: Use first e1000 interface and break after match
- Translations extended and updated
- Test if pgrep exists before using it
- Better support for busybox shell
- Small code enhancements
Lynis 3.0.1
Lynis 3.0.1 (2020-10-05)
Added
- Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux
- Detection of Linux Mint
- Detection of macOS Big Sur (11.0)
- Detection of Pop!_OS
- Detection of PHP 7.4
- Malware detection tool: Microsoft Defender ATP
- New flag: --slow-warning to allow tests more time before showing a warning
- Test TIME-3185 to check systemd-timesyncd synchronized time
- rsh host file permissions
Changed
- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
- BOOT-5122 - Presence check for grub.d added
- CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files
- FIRE-4535 - Set initial firewall state
- INSE-8312 - Corrected text on screen
- KRNL-5728 - Handle zipped kernel configuration correctly
- KRNL-5830 - Improved version detection for non-symlinked kernel
- MALW-3280 - Extended detection of BitDefender
- TIME-3104 - Find more time synchronization commands
- TIME-3182 - Corrected detection of time peers
- Fix: hostid generation routine would sometimes show too short IDs
- Fix: language detection
- Generic improvements for macOS
- German translation updated
- End-of-life database updated
- Several minor code enhancements