Lynis 3.0.3

Lynis 3.0.3 (2021-01-07)

Added

• HRDN-7231 - Check for registered non-native binary formats
• OS detection of Parrot GNU/Linux

Changed

• DBS-1816 - Force test to check only password authentication
• KRNL-5677 - Support for NetBSD
• Bugfix: command 'configure settings' did not work as intended

Lynis 3.0.2

Lynis 3.0.2 (2020-12-24)

Added

• AUTH-9284 - Scan for locked user accounts in /etc/passwd
• LOGG-2153 - Loghost configuration
• TOOL-5130 - Check for active Suricata daemon
• OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS
• OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others
• EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11
• Support for Solaris svcs (service manager)
• Enumeration of Solaris services

Changed

• ACCT-9626 - Detect sysstat systemd unit
• AUTH-9230 - Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined
• BOOT-5184 - Support for Solaris
• KRNL-5830 - Improved reboot test by ignoring known bad values
• KRNL-5830 - Ignore rescue kernel such as on CentOS systems
• KRNL-5830 - Detection of Alpine Linux kernel
• NETW-2400 - Compatibility change for hostname check
• NETW-3012 - Support for Solaris
• PKGS-7410 - Don't show exception if no kernels were found on the disk
• TIME-3185 - Supports now checking files at multiple locations (systemd)
• ParseNginx function: Support include on absolute paths
• ParseNginx function: Ignore empty included wildcards
• Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
• HostID: Use first e1000 interface and break after match
• Translations extended and updated
• Test if pgrep exists before using it
• Better support for busybox shell
• Small code enhancements

Lynis 3.0.1

Lynis 3.0.1 (2020-10-05)

Added

• Detection of Alpine Linux
• Detection of CloudLinux
• Detection of Kali Linux
• Detection of Linux Mint
• Detection of macOS Big Sur (11.0)
• Detection of Pop!_OS
• Detection of PHP 7.4
• Malware detection tool: Microsoft Defender ATP
• New flag: --slow-warning to allow tests more time before showing a warning
• Test TIME-3185 to check systemd-timesyncd synchronized time
• rsh host file permissions

Changed

• AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
• BOOT-5122 - Presence check for grub.d added
• CRYP-7902 - Added support for certificates in DER format
• CRYP-7931 - Added data to report
• CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
• FILE-6430 - Don't grep nonexistant modprobe.d files
• FIRE-4535 - Set initial firewall state
• INSE-8312 - Corrected text on screen
• KRNL-5728 - Handle zipped kernel configuration correctly
• KRNL-5830 - Improved version detection for non-symlinked kernel
• MALW-3280 - Extended detection of BitDefender
• TIME-3104 - Find more time synchronization commands
• TIME-3182 - Corrected detection of time peers
• Fix: hostid generation routine would sometimes show too short IDs
• Fix: language detection
• Generic improvements for macOS
• German translation updated
• End-of-life database updated
• Several minor code enhancements

Lynis 3.0.0

Major release with security fixes. See CHANGELOG for all details.

Lynis 2.7.5

Lynis 2.7.5 (2019-06-24)

Added

• Danish translation
• Slackware end-of-life information
• Detect BSD-style (rc.d) init in Linux systems
• Detection of Bro and Suricata (IDS)

Changed

• Corrected end-of-life entries for CentOS 5 and 6
• AUTH-9204 - change name to check in /etc/passwd file for QNAP devices
• AUTH-9268 - AIX enhancement to use correct find statement
• FILE-6310 - Filter on correct field for AIX
• NETW-3012 - set ss command as preferred option for Linux and changed output format
• List of PHP ini file locations has been extended
• Removed several pieces of the code as part of cleanup and code health
• Extended help

Lynis 2.7.4

Lynis 2.7.4 (2019-04-21)

This is a bigger release than usual, including several new tests created by
Capashenn (GitHub). It is a coincidence that it is released exactly one month
after the previous version and on Easter. No easter eggs, only improvements!

Added

• FILE-6324 - Discover XFS mount points
• INSE-8000 - Installed inetd package
• INSE-8100 - Installed xinetd package
• INSE-8102 - Status of xinet daemon
• INSE-8104 - xinetd configuration file
• INSE-8106 - xinetd configuration for inactive daemon
• INSE-8200 - Usage of TCP wrappers
• INSE-8300 - Presence of rsh client
• INSE-8302 - Presence of rsh server
• Detect equery binary detection
• New 'generate' command

Changed

• AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
• PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
• PKGS-7420 - Detect toolkit to automatically download and apply upgrades
• PKGS-7328 - Added global Zypper option --non-interactive
• PKGS-7330 - Added global Zypper option --non-interactive
• PKGS-7386 - Only show warning when vulnerable packages were discovered
• PKGS-7392 - Skip test for Zypper-based systems
• Minor changes to improve text output, test descriptions, and logging
• Changed CentOS identifiers in end-of-life database
• AIX enhancement for IsRunning function
• Extended PackageIsInstalled function
• Improve text output on AIX systems
• Corrected lsvg binary detection

Lynis 2.7.3

Lynis 2.7.3 (2019-03-21)

Added

• Detection for Lynis being scheduled (e.g. cronjob)

Changed

• HTTP-6624 - Improved logging for test
• KRNL-5820 - Changed color for default fs.suid_dumpable value
• LOGG-2154 - Adjusted test to search in configuration file correctly
• NETW-3015 - Added support for ip binary
• SQD-3610 - Description of test changed
• SQD-3613 - Corrected description in code
• SSH-7408 - Increased values for MaxAuthRetries
• Improvements to allow tailored tool tips in future
• Corrected detection of blkid binary
• Minor textual changes and cleanups

Lynis 2.7.2

Lynis 2.7.2 (2019-03-07)

Added

• AUTH-9409 - Support for doas (OpenBSD)
• AUTH-9410 - Test file permissions of doas configuration
• BOOT-5117 - Support for systemd-boot boot loader added
• BOOT-5177 - Simplify service filter and allow multiple dots in service names
• BOOT-5262 - Check OpenBSD boot daemons
• BOOT-5263 - Test permissions for boot files and scripts
• Support for end-of-life detection of the operating system
• New 'lynis show eol' command
• Korean translation

Changed

• AUTH-9252 - Adds support for files in sudoers.d
• AUTH-9252 - Test extended to check file and directory ownership
• BOOT-5122 - Use NONE instead of WARNING if no password is set
• FIRE-4540 - Modify test to better measure rules
• KRNL-5788 - Resolve false positive warning on missing /vmlinuz
• NETW-2704 - Ignore inline comments in /etc/resolv.conf
• PKGS-7388 - Improve detection for security archive
• RPi/Raspian path to PAM_FILE_LOCATIONS

Lynis 2.7.1

Lynis 2.7.1 (2019-01-30)

Added

• Support for macOS Mojave
• Translation: Slovak

Changed

• AUTH-9282 - Improve support for Red Hat and clones
• FIRE-4534 - Additional support for Hands Off!, LuLu, and Radio Silence
• LOGG-2190 - Added MariaDB filter for deleted files (tested on CentOS)
• SHLL-6230 - Add /etc/bash.bashrc.local to umask check
• Removed shift statement that did not work on all operating systems
• Minor cleanups and enhancements
• Small improvements to logging

Lynis 2.7.0

Lynis 2.7.0 (2018-10-26)

Added

• MACF-6240 - Detection of TOMOYO binary
• MACF-6242 - Status of TOMOYO framework
• SSH-7406 - OpenSSH server version detection
• TOOL-5160 - Check active OSSEC analysis daemon

Changed

• Changed several warning labels on screen
• AUTH-9308 - More generic sulogin for systemd rescue.service
• OS detection now ignores quotes for getting the OS ID.