Softpedia >Mac >System Utilities >Lynis >  Changelog

Lynis Changelog

What's new in Lynis 2.2.0

Jun 23, 2016
  • Highlights:
  • The biggest change in this release is the optimization of several functions. It allows for better detection, and dealing with the quirks, of every single operating system. Some functions were fortified to handle unexpected results better, like missing a particular binary, or not returning the hostname.
  • This release also enables tests to be shorter, by adding new functions. Some functions were renamed or slightly changed, to provide more value to the tooling. Another big change in this release is a wide set of optimizations and quality testing. Outdated pieces were removed, or rewritten, to support features seen in newer distributions.
  • In the area of compliance, adjustments have been made to start supporting more in-depth testing for this. Ideal for companies who have a particular compliance need, or want to test and enforce the system hardening levels of their systems.
  • Last but not least, many small changes make this software easier to use. On our website we added new guides to provide help and support.

New in Lynis 2.1.1 (Aug 21, 2015)

  • Operating system enhancements:
  • Support for systems like CentOS, openSUSE, Slackware is improved.
  • Performance:
  • Performance tuning has been applied, to speed up execution of the audit on systems with many files. This also includes code cleanups.
  • Automatic updates:
  • Initial work on an automatic updater has been implemented. This way Lynis can be scheduled for automatic updating from a trusted source.
  • Internal functions:
  • Not all systems have readlink, or the -f option of readlink. The ShowSymlinkPath function has been extended with a Python based check, which is often available.
  • Software support:
  • Apache module directory /usr/lib64/apache has been added, which is used on openSUSE.
  • Support for Chef has been added.
  • Added tests for CSF's lfd utility for integrity monitoring on directories and files. Related tests are FINT-4334 and FINT-4336.
  • Added support for Chrony time daemon and timesync daemon. Additionally NTP sychronization status is checked when it is enabled.
  • Improved single user mode protection on the rescue.service file.
  • Other:
  • Check for user permissions has been extended.
  • Python binary is now detected, to help with symlink detection.
  • Several new legal terms have been added, which are used for usage in banners.
  • In several files old tests have been removed, to further clean up the code.
  • Bug fixes:
  • Nginx test showed error when access_log had multiple parameters.
  • Tests using locate won't be performed if not present.
  • Fix false positive match on Squid unsafe ports [SQD-3624].
  • The hardening index is now also inserted into the report if it is not displayed on screen.

New in Lynis 2.1.0 (Apr 18, 2015)

  • GENERAL:
  • Screen output has been improved to provide additional information.
  • OS SUPPORT:
  • CUPS detection on Mac OS has been improved. AIX systems will now use csum utility to create host ID. Group check have been altered on AIX, to include the -n ALL. Core dump check on Linux is extended to check for actual values as well.
  • SOFTWARE:
  • McAfee detection has been extended by detecting a running cma binary.
  • Improved detection of pf firewall on BSD and Mac OS. Security patch checking with zypper extended.
  • SESSION TIMEOUT:
  • Tests to determine shell time out setting have been extended to account for AIX, HP-UX and other platforms. It will now determine also if variable is exported as a readonly variable. Related compliance section PCI DSS 8.1.8 has been extended.
  • DOCUMENTATION:
  • New document: Getting started with Lynis https://cisofy.com/documentation/lynis/get-started/
  • PLUGINS (ENTERPRISE):
  • Update to file integrity plugin:
  • Changes to PLGN-2606 (capabilities check)
  • New configuration plugins:
  • PLGN-4802 (SSH settings)
  • PLGN-4804 (login.defs)

New in Lynis 2.0.0 (Mar 2, 2015)

  • Helpers:
  • New in this release is the support for helpers. Small utilities which enhance Lynis by providing a single goal. The first helper available is to audit Docker build files.
  • Improved OS support:
  • Many changes have been implemented to better support Linux, FreeBSD, NetBSD DragonBSD and OpenBSD in particular. Upcoming releases will include smaller "improvement rounds" for other systems as well.
  • New technologies:
  • More utilities and technologies are supported now. Technologies and tools like systemd, Docker, nftables.
  • Lynis Enterprise:
  • As this code is shared, customers have an additional option to define to what server they want to upload the audit results. Also, commercial plugins have been bundled.
  • New parameters:
  • Several new options have been added: --dump-options (see all options) --report-file (define a different location for the report file).

New in Lynis 1.6.4 (Dec 15, 2014)

  • New:
  • Boot loader detection for AIX [BOOT-5102]
  • Detection of getcap and lsvg binary
  • Added filesystem_ext to report
  • Detect rootsh
  • Changes:
  • Hide errors when RPM database is faulty and show suggestion instead [PKGS-7308]
  • Allow OpenBSD to gather information on listening network ports [NETW-3012]
  • Don't trigger warning for Shellshock when doing segfault test [SHLL-6290]
  • Do not run Apache test on OpenBSD and strip control chars [HTTP-6624]
  • Extended AIDE test with configuration validation test [FIND-4314]
  • Improved Shellshock test regarding non-Linux support [SHLL-6290]
  • Added support for gathering volume groups on AIX [FILE-6311]
  • Properly parse PAM lines and add them to report [AUTH-9264]
  • Support for boot loader detection on OpenBSD [BOOT-5159]
  • Added uptime detection for OpenBSD systems [BOOT-5202]
  • Support for volume groups on AIX [FILE-6312]
  • Redirect errors when searching for readlink binary

New in Lynis 1.6.3 (Oct 15, 2014)

  • New:
  • Added tests for Shellshock bash vulnerability [SHLL-6290]
  • Added test to determine if Snoopy is used [ACCT-9636]
  • New test for qdaemon configuration file [PRNT-2416]
  • Test for GRUB boot loader password [BOOT-5122]
  • New test for qdaemon printer jobs [PRNT-2420]
  • Added ClamXav test for Mac OS X [MALW-3288]
  • Gentoo vulnerable packages test [PKGS-7393]
  • New test for qdaemon status [PRNT-2418]
  • Gentoo package listing [PKGS-7304]
  • Running Lynis without root permissions will start non-privileged scan
  • Systemd service and timer example file added
  • Added grub2-install to binaries
  • Changes:
  • Adjustments so insecure SSL protocols are detected in nginx config [HTTP-6710]
  • Directories will be skipped when searching for nginx log files [HTTP-6720]
  • Only gather unique name servers from /etc/resolv.conf [NAME-2704]
  • Properly detect mod_evasive on Gentoo and others [HTTP-6640]
  • Improved swap partition detection in /etc/fstab [FILE-6336]
  • Improvements to kernel detection (e.g. Gentoo) [KRNL-5830]
  • Test for built-in security options in YUM [PKGS-7386]
  • Improved boot loader detection for GRUB2 [BOOT-5121]
  • Split GRUB test into two tests [BOOT-5122]
  • Added Mac OS uptime check [BOOT-5202]
  • Improved GetHostID function for systems having only ip binary
  • Improved testing for symlinked binary directories
  • Minor adjustments to log output
  • Renamed dev directory to extras

New in Lynis 1.6.2 (Sep 23, 2014)

  • New:
  • IsVirtualMachine function to check if system is running in VM (VM types: Bochs CPU emulation, IBM z/VM, KVM, Linux Containers, libvirt LXC driver (Linux Containers), Microsoft Virtual PC, OpenVZ, Oracle VM VirtualBox, QEMU, Systemd Namespace container, User-Mode Linux (UML), VMware products, XEN)
  • Detection for SaltStack configuration management tooling
  • ShowSymlinkPath function to check path behind a symlink
  • Check of configuration options of pacman [PKGS-7314]
  • Support for drill binary to check for Lynis update
  • FileIsEmpty function to check for empty files
  • Detect updates for Arch Linux [PKGS-7312]
  • Add detection for machine ID (systemd)
  • Added linux_config_file to report
  • Bash completion script for Lynis
  • Added detection of ss binary
  • Changes:
  • Extended system reboot check, to enable it for most Linux versions[KRNL-5830]
  • Improved inetd test to avoid false positive with xinetd process [INSE-8002]
  • Permissions check has been adjusted to allow packaging and pentest mode
  • Added detection for compressed Linux config file [KRNL-5728]
  • Added support for compressed Linux config file [KRNL-5730]
  • Store PID file in home directory of the user, if needed
  • Added usage of ss to gather listening ports [NETW-3012]
  • Additional permission added to CUPS check [PRNT-2307]
  • Extended telnet in inetd test [INSE-8016]
  • Fix for reading at.deny file [SCHD-7720]
  • Removed individual warnings [BOOT-5184]
  • Several improvements for Arch Linux

New in Lynis 1.6.1 (Sep 10, 2014)

  • New:
  • Added --pentest parameter to run a non-privileged scans (e.g. for pentesting)
  • Show skipped tests in report if they require root and scan is non-privileged
  • Changes:
  • Improved vulnerable packages test on Debian based systems (apt-check) [PKGS-7392]
  • Don't show warnings for 'swap' in 4th column fstab file [FILE-6336]
  • Remove warning for old files in /tmp [FILE-6354]
  • CheckUpdates function will have better output when no connection is available
  • Changes to parameters and functions, to allow penetration tests with Lynis
  • Test for actual files in /etc/modprobe.d before grepping in it
  • Improved chown command when file permissions are incorrect
  • Changed output of update test, show when status is unknown
  • No scanning of symlinked directories (binaries test)
  • Extended SafePerms function to also check for UID
  • Several tests will have root-only bit set now
  • Improved netstat tests on Arch Linux

New in Lynis 1.6.0 (Sep 3, 2014)

  • New:
  • Added several new plugins to default profile
  • HostID detection for AIX
  • Changes:
  • Improvements for log file
  • GetHostID function improved
  • Improved detection of security repository for Debian based systems [PKGS-7388]
  • Set default values for update check, to avoid error message on screen
  • Cleanup for mail section, adding IMAP and POP3 protocols

New in Lynis 1.5.9 (Jul 31, 2014)

  • New:
  • New NetBSD test for vulnerable software packages [PKGS-7380]
  • Test if Debian based systems need a reboot [KRNL-5830]
  • Test for running Sendmail daemon [MAIL-8880]
  • Test for availability of mtree [FINT-4330]
  • Check for lp daemon (printing) [PRNT-2314]
  • Added Qmail status detection [MAIL-8860]
  • New NetBSD boot loader test [BOOT-5126]
  • Added test for automation tools like Cfengine and Puppet [TOOL-5002]
  • Added KRNL-5830 control to website
  • Added detection for Puppet
  • Added tooling category
  • Changes:
  • Security repository test extended with /etc/apt/sources.list.d [PKGS-7388]
  • Added exception case for CUPS configuration (listen statement) [PRNT-2308]
  • Improved detection of TMOUT setting in shell profile file [SHLL-6220]
  • Perform promiscuous interfaces test for NetBSD as well [NETW-3014]
  • Perform swap partition parameters test on all systems [FILE-6336]
  • Also check password file on DragonFlyBSD and NetBSD [AUTH-9208]
  • Show message regarding toor user for all systems [AUTH-9204]
  • Check for available interfaces on NetBSD as well [NETW-3004]
  • Extended UFS file system test with FFS support [FILE-6329]
  • Improvements for step-tickers file test [TIME-3160]
  • Perform sockstat test for NetBSD [NETW-3012]
  • Gather IP addresses for NetBSD [NETW-3008]
  • Test MAC addresses on NetBSD [NETW-3006]
  • Added /usr/X11R7/bin directory to search for binaries
  • Improved full qualified domain name (FQDN) check for Linux
  • Don't show follow-up hints when there are no warnings or suggestions
  • Improved IsRunning function to better target processes
  • Several smaller adjustments in text and descriptions
  • Extended ReportException function with logging text
  • Improved GetHostID function for NetBSD and Solaris
  • Added printing_daemon and mail_daemon to report
  • Binaries extended with tools like kstat, puppet

New in Lynis 1.5.8 (Jul 25, 2014)

  • New:
  • Testing for commercial anti-virus solutions like McAfee and Sophos [MALW-3280]
  • New control text for MALW-3280 - http://cisofy.com/controls/malw-3280/
  • Changes:
  • Extended GRUB test with encrypted password (SHA1) [BOOT-5121]
  • Check /etc/profile for multiple umask values [AUTH-9328]
  • Extended PHP disabled functions test [PHP-2320]
  • Add gpgcheck parameter to YUM test [PKGS-7387]
  • Squid configuration file permissions test adjusted and control added to website [SQD-3613]
  • Logging has been extended and exceptional event text adjusted

New in Lynis 1.5.7 (Jul 10, 2014)

  • New:
  • Implementation of SafePerms function
  • Added notification when exceptions are found
  • Changes:
  • - Fix for error_log handling in nginx

New in Lynis 1.5.6 (Jun 12, 2014)

  • New:
  • Test for PHP binary and PHP version
  • Don't perform register_global test for systems running PHP 5.4.0 and later [PHP-2368]
  • Debug function (can be activated via --debug or profile)
  • Changes:
  • Extended IsRunning function
  • Removed suggestion from secure shell test [SHLL-6202]
  • Check for idle session handlers [SHLL-6220]
  • Also check for apache2 binary (file instead of directory)
  • New report values: session_timeout_enabled and session_timeout_method
  • New report value for plugins: plugins_enabled
  • Fixed test to determine active TCP sessions on Linux [NETW-3012]

New in Lynis 1.5.5 (Jun 9, 2014)

  • New:
  • Check for nginx access logging [HTTP-6712]
  • Check for missing error logs in nginx [HTTP-6714]
  • Check for debug mode in nginx [HTTP-6716]
  • Changes:
  • Extended SSL test for nginx when using listen statements
  • Allow debugging via profile (config:debug:yes)
  • Check if discovered httpd file is actually a file
  • Improved temporary file creation related to security notice
  • Adjustments to screen output
  • Security Note:
  • This releases solves two issues regarding the usage of temporary files (predictability of the file names). You are advised to upgrade to this version as soon as possible. For more information see the our blog post: http://linux-audit.com/lynis-security-notice-154-and-older/

New in Lynis 1.5.4 (Jun 5, 2014)

  • New:
  • Check additional configuration files for nginx [HTTP-6706]
  • Analysis of nginx settings [HTTP-6708]
  • New test for SSL configuration of nginx [HTTP-6710]
  • Changes:
  • Altered SMBD version check for Mac OS
  • Small adjustments to report for readability

New in Lynis 1.5.3 (May 19, 2014)

  • New:
  • Support for zypper package manager
  • Gather installed packages with Zypper on SuSE systems [PKGS-728]
  • Check for vulnerable packages with Zypper package manager [PKGS-7330]
  • Changes:
  • Check for aide.conf also in /etc [FINT-4315]
  • Adjusted screen output for unreliable NTP peers [TIME-3120]
  • Adjusted check kernel test for non-Linux systems [KRNL-5730]
  • Improved screen output on AIX systems with echo command

New in Lynis 1.5.2 (May 5, 2014)

  • New:
  • Support for runlevel in binaries test
  • Changes:
  • Added suggestion for kernel availability check [KRNL-5788]
  • Added suggestion for services at startup and proper binary call [BOOT-5180]
  • Added suggestion to configure accounting on FreeBSD [ACCT-2754]
  • Added suggestion to configure Linux process accounting [ACCT-9622]
  • Several new controls listed on website
  • Adjusted hardening index if total score was zero
  • Added suggestion for auditd.conf file [ACCT-9632]
  • Removed suggestion for audit log file [ACCT-9634]
  • Removed warning from NTP falsetickers test, added data to report [TIME-3132]
  • Removed warning from NTP selected time source test [TIME-3124]

New in Lynis 1.5.1 (Apr 23, 2014)

  • Changes:
  • Extended reporting with running databases and frameworks
  • Adjusted Oracle status in test [DBS-1840]
  • Extended grsecurity test [RBAC-6272]
  • Redirect rpcinfo errors to /dev/null
  • Adjusted color scheme

New in Lynis 1.5.0 (Apr 11, 2014)

  • New:
  • Support for Amazon Linux
  • NTP check for step-tickers file (Red Hat and clones) [TIME-3160]
  • Changes:
  • Minor textual changes in description of several controls
  • Removed several warnings (usage of suggestions instead)
  • Website has now more information for several controls
  • Extended detection for Oracle Linux
  • Updated the FAQ and README files

New in Lynis 1.4.9 (Apr 3, 2014)

  • New:
  • Added links in report to related control documentation on website
  • Detect Linux I/O kernel scheduler [KRNL-5730]
  • Changes:
  • Check for non-unique accounts on several platforms [AUTH-9208]
  • Set initial discover value for PAM modules to zero [AUTH-9268]

New in Lynis 1.4.8 (Mar 27, 2014)

  • Changes:
  • Adjusted resolv.conf domain setting in report [NAME-4016]
  • Extend account test with /var/log/pacct [ACCT-9620]
  • Added suggestion to DNS domain name test [NAME-4028]
  • Changed text strings of ZFS test [FILE-6330]
  • Extend LILO password test [BOOT-5139]
  • Set default value for pf firewall

New in Lynis 1.4.7 (Mar 22, 2014)

  • New:
  • New configuration item to set group name
  • Search for AIDE configuration file (aide.conf) [FINT-4315]
  • Check for usage of SHA256/SHA512 in AIDE configuration [FINT-4316]
  • Added grep to list of binaries
  • Changes:
  • Added suggestion when using NIS or NIS+ [NAME-4302]
  • Clean-up of unneeded plugin section
  • Small typo fix

New in Lynis 1.4.6 (Mar 15, 2014)

  • New:
  • Check for GPG signing in yum.conf [PKGS-7387]
  • Check CUPS configuration file permissions [PRNT-2307]
  • Changes:
  • Screen cleanup

New in Lynis 1.4.5 (Mar 10, 2014)

  • New:
  • Support for Chakra Linux
  • Support for pacman binary (package manager)
  • Query installed packages on systems with pacman [PKGS-7310]
  • Changes:
  • Avoid logging to screen when falsetickets are found [TIME-3132]
  • Skipping FIFO file on Solaris systems when checking for cron jobs [TIME-3104]
  • Extended uptime test for Solaris systems [BOOT-5202]
  • Added /usr/lib/security to PAM locations to scan
  • Report cronjobs to report [SCHD-7704]
  • HostID support for Solaris
  • Improved color scheme
  • Extended logging

New in Lynis 1.4.4 (Mar 4, 2014)

  • New:
  • Detect tune2fs binary
  • Added ExitFatal() function
  • Added egrep binary to binaries
  • Initial plugin support (phase 1)
  • Added InsertPluginSection() function
  • Changes:
  • Adjusted disabled functions tests to properly find functions [PHP-2320]
  • Extended time test with egrep binary replace for Solaris [TIME-3104]
  • Adjusted color for SNMP test when warning is found [SNMP-3306]
  • Adjusted text for PHP risky functions [PHP-2320]
  • Refer to discovered binaries for ifconfig, lsmod, tune2fs
  • Test plugin directory when provided by --plugin-dir
  • Scan report extended with plugin information
  • Extended help for Enterprise options
  • Improved IsRunning() function
  • Extended color scheme

New in Lynis 1.4.3 (Feb 24, 2014)

  • New:
  • Support for ClearOS
  • Data upload for Lynis Enterprise users (--upload)
  • Added debug variable for troubleshooting purposes
  • Scan profile option license_key
  • Changes:
  • Skip password check for Red Hat or clones [AUTH-9282]
  • Extended single user login protection [AUTH-9308]
  • Adjusted repolist check for yum based systems [PKGS-7383]
  • Inserted sleep time when update is found
  • Extended report output

New in Lynis 1.4.2 (Feb 19, 2014)

  • Changes:
  • Ignore interfaces aliases for HostID
  • Extended umask tests with pam_umask entries [AUTH-9328]
  • Check for suppressed version on Squid [SQD-3680]

New in Lynis 1.4.1 (Feb 17, 2014)

  • New:
  • --plugin-dir parameter
  • Changes:
  • Added 64 bits locations for Apache modules
  • Add start of new category to logfile
  • Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626]
  • Extended cron job tests with entries start with asterix (*) [SCHD-7704]
  • Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328]
  • Adjusted PHP test for register_globals (explicit test) [PHP-2368]
  • Small adjustments for upcoming plugin support
  • Extended man page

New in Lynis 1.4.0 (Jan 29, 2014)

  • Removed some warnings, to prevent double messages
  • Extended accounting check for Linux [ACCT-9622]
  • Added consistency check to time test [TIME-3124]
  • Added support for anacron jobs [SCHD-7704]
  • Rewrite of YUM repository test [PKGS-7383]
  • Use binary variables for hostid creation
  • AIX version detection changed
  • Added rpcinfo to binaries check
  • Ignore LANG global setting
  • Improved logging

New in Lynis 1.3.9 (Jan 10, 2014)

  • Changes:
  • Additional support for Mac OS
  • Support for shasum binary
  • Performance adjustment for lsof tests
  • Extended interface check for hostid creation
  • Improved NSCD detection [NAME-4032]
  • Bug fix for passwdqc [AUTH-9262]
  • Extended vulnerable packages test [PKGS-7392]
  • Hide possible sysctl errors [KRNL-5820]

New in Lynis 1.3.8 (Jan 10, 2014)

  • New:
  • New parameter --view-categories to display available test categories
  • Added /etc/hosts check (duplicates) [NAME-4402]
  • Added /etc/hosts check (hostname) [NAME-4404]
  • Added /etc/hosts check (localhost mapping) [NAME-4406]
  • Portmaster test for possible port upgrades [PKGS-7378]
  • Check for SPARC improve boot loader (SILO) [BOOT-5142]
  • NFS client access test [STRG-1930]
  • Check system uptime [BOOT-5202]
  • YUM repolist check [PKGS-7383]
  • Contributors file added
  • Changes:
  • Improved locate database check and reporting [FILE-6410]
  • Improved PAE/No eXecute test for Linux kernel [KRNL-5677]
  • Disabled NIS domain name from test [NAME-4028]
  • Extended NIS domain test to check BSD sysctl value [NAME-4306]
  • Extended PAM tools check with PAM paths [AUTH-9262]
  • Adjusted Apache check to avoid skipping it [HTTP-6622]
  • Extended USB state testing [STRG-1840]
  • Extended Firewire state testing [STRG-1846]
  • Extended core dump test [KRNL-5820]
  • Added /lib/i386-linux-gnu/security to PAM directories
  • Added /usr/X11R6/bin directory to binary paths
  • Improved readability of screen output
  • Improved logging for several tests
  • Improved Debian version detection
  • Added warning to BIND test [NAME-4206]
  • Extended binaries with showmount and yum
  • Updated man page

New in Lynis 1.3.7 (Dec 11, 2013)

  • New:
  • Function FileExists() and SearchItem()
  • Changes:
  • Adjusted yum-security check [PKGS-7386]
  • Improved check for iptables binary check
  • Extended report with the tests executed and skipped

New in Lynis 1.3.6 (Dec 3, 2013)

  • New:
  • Support for the dntpd time daemon
  • New Apache test for modules [HTTP-6632]
  • Apache test for mod_evasive [HTTP-6640]
  • Apache test for mod_qos [HTTP-6641]
  • Apache test for mod_spamhaus [HTTP-6642]
  • Apache test for ModSecurity [HTTP-6643]
  • Check for installed package audit tool [PKGS-7398]
  • Added initial support for new pkgng and related tools [PKGS-7381]
  • Check for ssh-keyscan binary
  • ZFS support for FreeBSD [FILE-6330]
  • Test for passwordless accounts [AUTH-9283]
  • Initial OS support for DragonFly BSD
  • Initial OS support for TrueOS (FreeBSD based)
  • Initial OS support for elementary OS (Luna)
  • GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD
  • Check for DHCP client [NETW-3030]
  • Initial support for OSSEC (system integrity) [FINT-4328]
  • New parameter --log-file to adjust log file location
  • New function IsRunning() to check status of processes
  • New function RealFilename() to determine file name
  • New function CheckItem() for parsing files
  • New function ReportManual() and ReportException() to simplify code
  • New function DirectoryExists() to check existence of a directory
  • Support for dntpd [TIME-3104]
  • Changes:
  • Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518]
  • Extended test to gather listening network ports for Linux [NETW-3012]
  • Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190]
  • Added suggestion for discovered shells on FreeBSD [AUTH-9218]
  • Extended core dump test with additional details [KRNL-5820]
  • Properly display suggestion if portaudit is not installed [PKGS-7382]
  • Ignore message if no packages are installed (pkg_info) [PKGS-7320]
  • Also try using apt-check on Debian systems [PKGS-7392]
  • Adjusted logging for RPM binary on systems not using it [PKGS-7308]
  • Extended search in cron directories for rdate/ntpdate [TIME-3104]
  • Adjusted PHP check to find ini files [PHP-2211]
  • Skip Apache test for NetBSD [HTTP-6622]
  • Skip test http version check for NetBSD [HTTP-6624]
  • Additional check to surpress sort error [HTTP-6626]
  • Improved the way binaries are checked (less disk reads)
  • Adjusted ReportWarning() function to skip impact rating
  • Improved report on screen by leaving out date/time and type
  • Redirect errors while checking for OpenSSL version
  • Extended reporting with firewall status and software
  • Adjusted naming of some operating systems to make them more consistent
  • Extended update check by using host binary if dig is not installed
  • Count number of installed binaries/packages and report them
  • Report about log rotation tool and status
  • Updated man page

New in Lynis 1.3.5 (Nov 19, 2013)

  • New:
  • OS detection for Mageia Linux, PCLinuxOS, Sabayon Linux and Scientific Linux
  • Added some initial systemd support (e.g. boot services)
  • Test to display if any known MAC framework is implemented [MACF-6290]
  • Changes:
  • Improved support for Slackware Linux (OS and version detection)
  • Added systemd support (boot and running services) for Linux systems [BOOT-5177]
  • Added systemd support (default runlevel) for Linux systems [KRNL-5622]
  • Extended USB storage check in modprobe.d directory [STRG-1840]
  • Improved output, reporting and check for kernel update [KRNL-5788]
  • Optimized code and output of test to check writable scripts [BOOT-5184]
  • Fixed detection for writable scripts [BOOT-5184]
  • Improved detection IPv6 addresses for Slackware and others [NETW-3008]
  • Minor addition to SSH PermitRootLogin check [SSH-7412]
  • Extended cronjob tests, reporting and logging [SCHD-7704]
  • Extended umask check in /etc/profile [AUTH-9328]
  • Added suggestion about BIND version [NAME-4210]
  • Merged test NTP daemon test TIME-3108 into TIME-3104
  • Improved support for Arch Linux (output, detection)
  • Extended common list of directories with SSL certifcates in profile
  • New function GetHostID() to determine an unique identifier of the machine
  • Added a tests_custom file template
  • Perform file permissions test on tests_custom file
  • Improved OS detection and extended logging on several tests
  • Several layout improvements
  • Extended update check functions and output
  • Cleaned up reporting and extended it with exceptions

New in Lynis 1.3.4 (Nov 19, 2013)

  • New:
  • OS detection support for Arch Linux
  • Support for systemd journal
  • Changes:
  • Test for files in /etc/modprobe.d directory [STRG-1840]
  • Extended log daemon detection with systemd journal [LOGG-2130]
  • Adjusted hardening value for compiler GCC [HRDN-7222]
  • Extended IsWorldWritable and IsWorldExecutable functions to support symlinks
  • Adjusted PHP test for disabled functions [PHP-2320]
  • Extended testing for PHP files in other directories [PHP-2211]
  • Improved screen output for several tests and extended logging

New in Lynis 1.3.3 (Nov 9, 2013)

  • New:
  • Added NTP configuration type to report [TIME-3104]
  • Changes:
  • Do not warn on empty shells for FreeBSD systems [AUTH-9218]
  • Extended checks for presence NTP client or daemon [TIME-3104]
  • Extended logging

New in Lynis 1.3.2 (Oct 10, 2013)

  • New:
  • Test for PowerDNS authoritive servers (master/slave status) [NAME-4238]
  • Changes:
  • CUPS test extended with hardening rules [PRNT-2308]
  • Added hardening points to sticky bit on /tmp [FILE-6362]
  • Extended Ubuntu security packages check [PKGS-7392]
  • Improved update check, show when no check is performed
  • Added additional check for binaries, so checks on CentOS work correctly
  • Added word 'restricted' to banner strings
  • Adjusted wording for Debian packages purge [PKGS-7346]
  • Corrected listing of purgable packages [PKGS-7346]
  • Adjusted yum-plugin-security check due to package changes [PKGS-7386]

New in Lynis 1.3.1 (Oct 4, 2013)

  • Changes:
  • Updated generic references in files
  • Fixed detection of several binaries (AFICK/awk)
  • Performance tweaks when checking for binaries
  • Fixed core dump check and dumpable sysctl [KRNL-5820]
  • Force test to always to check for binaries [FILE-7502]
  • Changed detection to egrep [DBS-1840]
  • Adjusted variable checking for Solaris [HOME-9310]
  • Adjusted search in modprobe directory [STRG-1840] [STRG-1846]

New in Lynis 1.3.0 (Oct 4, 2013)

  • New:
  • Profile option: ignore_home_dir
  • TCP wrappers category added
  • Tooling category added
  • Initial extensions to support plugins in the future
  • Test for unpurged Debian packages [PKGS-7346]
  • Test for compiler permissions [HRDN-7222]
  • Changes:
  • Converted all dates to ISO format and updated copyright lines
  • Correct suggestion for file integrity tool [FINT-4350]
  • Added hint when RPM list is empty on DPKG based systems [PKGS-7308]
  • Changed logging for /etc/security/limits.conf file [KRNL-5820]
  • Fixed incorrect warning for single user mode [AUTH-9308]
  • Improved output for stratum 16 time servers [TIME-3116]
  • Added suggestion and screen output for kernel hardening [KRNL-6000]
  • Screen layout optimalizations and log file improvements
  • Improved list/layout of scan options
  • Improved binary check for compilers
  • Added configuration option in scan profile (show_tool_tips, default true)

New in Lynis 1.2.9 (Jan 21, 2010)

  • New:
  • Support for Squid3
  • Added Squid unsafe ports check [SQD-3624]
  • Added Squid configuration file permission check [SQD-3613]
  • Added Squid test: reply_body_max_size option [SQD-3630]
  • Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328]
  • Check PHP option allow_url_include [PHP-2378]
  • Changes:
  • Extended possible Squid configuration file locations
  • Added additional sysctl keys to default profile
  • Fixed typo in squid.conf checks
  • Improved descriptions, logging and reporting for several tests
  • Corrected /etc/security/limits.conf path in test [KRNL-5820]
  • Updated man page, limited lines to 80 chars

New in Lynis 1.2.6 (Apr 6, 2009)

  • New:
  • Sudoers file permissions check [AUTH-9252]
  • Core dumps configuration check for Linux [KRNL-5820]
  • PHP disabled functions check [PHP-2320]
  • PHP enable_dl function check [PHP-2374]
  • PHP allow_url_fopen function check [PHP-2376]
  • OpenBSD smtpd status check [MAIL-8920]
  • /etc/issue check [BANN-7124]
  • /etc/issue legal keywords check [BANN-7126]
  • Show suggestions in report
  • Changes:
  • Extended support for Red Hat, CentOS and Fedora
  • Extended ACL test to test for default mount options as well [FILE-6368]
  • Exim status test fixed [MAIL-8812]
  • Corrected yum security check [PKGS-7386]
  • Replaced LDAP test AUTH-9238 with [AUTH-9402]
  • Removed backquotes when locate database is not available [FILE-6410]
  • Added /etc/openldap to search path for OpenLDAP
  • Fixed typo in crontab path [SCHD-7704]
  • Don't show message "No volume groups found" if LVM isn't used [FILE-6310]
  • Corrected Syslog-NG status [LOGG-2132]
  • Moved TODO to dev directory