Changelog v2.2.0 :
The biggest change in this release is the optimization of several functions. It allows for better detection, and dealing with the quirks, of every single
operating system. Some functions were fortified to handle unexcepted results better, like missing a particular binary, or not returning the hostname.
This release also enables tests to be shorter, by adding new functions. Some functions were renamed or slightly changed, to provide more value to the tooling.
Another big change in this release is a wide set of optimizations and quality testing. Outdated pieces were removed, or rewritten, to support features seen in
In the area of compliance, adjustments have been made to start supporting more in-depth testing for this. Ideal for companies who have a particular compliance
need, or want to test and enforce the system hardening levels of their systems.
Last but not least, many small changes make this software easier to use. On our website we added new guides to provide help and support.
We like to thank our contributors, in particular Kamil Boratyński, Steve Bosek, and Eric Light. Their contributions helped us greatly shaping this release.
Below are the changes per category:
* Automation tools
Detection for CFEngine has been improved. Also additional logging and reporting of automation tools.
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes checking for /etc/login.defs file [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228. User ids on AIX will be gathered and added to the report [AUTH-9234].
New plugin is introduced to analyze PAM settings. It including items like:
+ Two-factor authentication methods
+ Minimum password length, password strength and protection status against brute force cracking
+ Password history
Report option: auth_failed_logins_logged
Added detection for Mac OSX boot loader. Initial support to test UEFI settings, including Secure Boot option. Options boot_uefi_booted and
boot_uefi_booted_secure added to report file
This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can be used to define what standards should
be tested for, if any test is available. The related option is: compliance_standards
Right now these standards can be selected:
+ CIS benchmarks
+ PCI DSS
Note that additional tests will be implemented in future releases and then tagged to these particular standards.
* DNS and Name services
Support added for Unbound DNS caching tool [NAME-4034], including a configuration check [NAME-4036].
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
Test for IPFW firewall on FreeBSD has been improved: status of pflogd will no longer be displayed, when pf is not available.
New test FIRE-4532 introduced for detection of the Mac OS X application firewall.
Also, the status of application firewalls is audited now.
FIRE-4508 is another new test, which tests chains of iptables and their default
policy (ACCEPT or DROP). This release also supports the upcoming nftables
technology with new test FIRE-4536. It is expected that it will replace iptables
later on, so this test will perform a status check. Additional FIRE-4548 will
perform a version detection of the userland utility nft and determine if there
are any rules configured.
Renamed FIRE-4511 to FIRE-4502.
* File Integrity Monitoring
Test added to include osqueryd as a supported tool.
Detection of firewire is enhanced (both ohci and core detected).
Extended the test syslog-ng logging to remote systems. The log Lynis itself
produces is also enhanced, to be more detailed for several tests.
ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners are also logged to the report.
* Mount points
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
Best practices for IPv6 configuration on Linux are now collected. Also network interface names from most operating systems.
* Operating systems
Improved support for Debian 8 systems, and displaying Gentoo for Gentoo-based systems. Detection of VMware release has been added. Boot loader exception is not
longer displayed when only a subset of tests is performed. FreeBSD systems can now use service command to gather information about enabled services.
Several paths have been added to allow better detection on systems running FreeBSD and others.
AUTH-9286 change has been extended to both capture minimum and password age.
* Proxy support
A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS proxy.
* Service Managers
SystemV init is now detected.
* Software and Packages
Now information will be logged when vulnerable software packages were found. Support for DNF (Dandified YUM) for Fedora systems has been added. This is done
in several tests: PKGS-7350 (installed packages), PKGS-7352 (security notices),
PKGS-7354 (integrity tests).
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
* Virtual machines and Containers
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it
before gave error as it found directory /usr/libexec/docker. Check file permissions for Docker files, like the socket file [CONT-8108].
* Individual tests
[AUTH-9204] Exclude NIS entries to avoid false positives
[AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9234] Support for AIX added
[AUTH-9288] Test for expired passwords
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also
includes improved logging, and support for other operating systems.
[BOOT-5104] Rewrote test to detect SysV init and other service managers
[BOOT-5106] New test to test boot loader on Mac OS X
[BOOT-5180] Only gets executed if runlevel 2 is found
[CONT-8108] New test to test for Docker file permissions
[DBS-1816] Removed suggestion
[FILE-6310] Add more details to test when a symlinked path has been found
[FILE-6410] Added /var/lib/locatedb as search path
[FINT-4338] Added osquery test
[FIRE-4508] Added chains test for iptables
[FIRE-4511] Renamed to FIRE-4502
[FIRE-4536] Support for nftables detection
[FIRE-4538] Basic configuration check for for nftables
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[HTTP-6622] Determine Apache version and log to report
[HTTP-6624] Ignore wildcard and default entries as ServerName for Apache
[LOGG-2154] Additional support for log destinations for syslog-ng
[MALW-3278] New test to detect LMD (Linux Malware Detect)
[NAME-4406] Changed logic for localhost check and more detailed logging
[NETW-2600] IPv6 configuration check for Linux
[NETW-3032] Added ARP monitoring software test
[PKGS-7308] Split package name and version for RPM based package manager
[PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM)
[PKGS-7352] Query security notices for DNF
[PKGS-7354] Perform integrity tests for package database (DNF)
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[STRG-1842] New test for checking authorized USB devices
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured
[TIME-3170] New test to check NTP configuration files
[CreateTempFile] Create a temporary file
[DigitsOnly] New function to extract only numbers from a text string
[DisplayManual] New function to show text on screen without any markup
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
[IsWordWritable] Changed return codes for easier usage of the function
[LogText] Replaces the older logtext function
[RandomString] Creates a random string of characters
[RemoveTempFiles] Remove any created temporary files
[Report] Replaces the older report function
[ReportSuggestion] Allows two additional parameters to store details
(text and external reference to a solution)
[ReportWarning] Like ReportSuggestion() has additional parameters
[ShowComplianceFinding] Display compliance findings
[ShowSymlinkPath] Ensure readlink is available
* General improvements
– When using pentest mode, it will continue without any delays (=quick mode).
– Plugins execution is improved, with improved logged and counting of active plugins.
– Data uploads: provide help when self-signed certificates are used.
– Improved output for tests which before showed results as a warning, instead of just as a suggestion.
– Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
– Preparations to allow compressing the Lynis report file and enhance uploads.
– Added –config option to show what settings file or profile is used.
– Tool tips are displayed, to make Lynis even easier to use.
– Show a warning if the release is older than four months.
– PID file has additional checks, including cleanups.
– [PAM] New plugin available in all versions of Lynis
– [PLGN-2602] Replaced mktemp commands with CreateTempFile function
– [PLGN-2804] Limit report output of EXT file systems to 1 item per line
Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues.
We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems.
+ Security auditing (automated)
+ Compliance testing (e.g. PCI-DSS, HIPAA)
+ Vulnerability testing
The software aims to also assist with:
+ Configuration management
+ Software patch management
+ System hardening
+ Penetration testing
+ Malware scanning
+ Intrusion detection
git clone https://github.com/CISOfy/lynis
./lynis audit system
cd <your lynis folder>
Download Binary v2.2.0: 2.2.0.zip | 2.2.0.tar.gz
Our post Before : http://seclist.us/lynis-v-2-1-8-is-a-system-and-security-auditing-tool-for-unixlinux.html