Lynis updated to version 1.2.7

by

In: Configurations checks , Local auditing , Lynis , Vulnerability Scanner

8 November 2009

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

Changelog :

New:

  • Added Kernel Hardening section
  • Sysctl audit support in scan profile and related test [KRNL-6000]
  • SSH option StrictModes test [SSH-7416]
  • Password aging limit check [AUTH-9286]
  • Ubuntu packages check (apt-show-versions) [PKGS-7394]
  • Check for metalog daemon [LOGG-2210]
  • USB storage driver state check [STRG-1840]
  • Firewire storage driver state check [STRG-1846]
  • PostgreSQL process check [DBS-1826]
  • Oracle process check [DBS-1840]
  • Default umask check [AUTH-9328]
  • Check for rsyslog daemon [LOGG-2230]
  • RFC 3195 compliant daemon check [LOGG-2240]
  • Qmail SMTP daemon check [MAIL-8940]
  • Test for separation of /tmp and /home from root file system [FILE-6310]
  • SSH AllowUsers and AllowGroups usage check [SSH-7440]
  • AIX support, thanks to Michael Smerdka

Changes:

  • Fixed crontabs path [SCHD-7704]
  • Extended locate database paths for Linux and FreeBSD [FILE-6410]
  • pflog detection fix [FIRE-4518]
  • Skip /proc/meminfo for non Linux systems [PROC-3602]
  • Extended text with rsyslogd [LOGG-2130]
  • Ignore comment and empty lines for group tests [AUTH-9222/9226]
  • Show firewall as active when iptables is available in config file [FIRE-4511]
  • Variable fix for SNMP daemon configuration file [SNMP-3304]
  • Freshclam check fix [MALW-3286]
  • Fixed waiting search for NIS domain [NAME-4306]
  • Check for a maximum of 1 search statement in /etc/resolv.conf [NAME-4018]
  • Apache test improved [HTTP-6622]
  • Skip klogd test if rsyslogd is available [LOGG-2138]
  • Added additional CUPS location to search paths
  • Only execute PAM test for systems with PAM [AUTH-9268]
  • Fixed logging of sudoers file location [AUTH-9250]
  • Improved FreeBSD support for NTP client check [TIME-3104]
  • Redirect warning "Unknown host" when DNS domain name is empty [NAME-4028]
  • Redirect warning when host name is empty
  • Fixed warning color [AUTH-9226]
  • Fixed FreeBSD COPYRIGHT file test [BANN-7113]
  • Changed text for sudoers text [AUTH-9250]
  • Improved text for DNS search domain [NAME-4016]
  • Skip nginx configuration test if nginx is not available [HTTP-6704]
  • Removed portsclean suggestion [PKGS-7348]
  • Fixed non unique IDs
  • Fixed cosmetic issue when using Debian with default dash shell
  • Improved hostname detection for HP-UX
  • Added additional php.ini file locations - Moved Linux default shell check to OS detection functions
  • Fixed CUPS daemon test [PRNT-2304]
  • Also check for uppercase chars in issue file [BANN-7126]

Post scriptum

Compliance Mandates

  • Vulnerability Scanner :

    PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2


Related Articles

Configurations checks
Local auditing
Lynis
Vulnerability Scanner